你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

用于创建数据收集规则 (DCR) 的 API 请求的示例

本文介绍用于创建与 Azure Monitor 代理 (AMA) 结合使用的数据收集规则 (DCR) 和 DCR 关联关系 (DCRA) 的 API 请求和响应的一些示例。

Syslog/CEF

以下是关于使用 AMA 收集 Syslog 和 CEF 消息的 DCR 的示例。

Syslog/CEF DCR

以下是关于用于创建 DCR 的 API 请求和响应的示例。

Syslog/CEF DCR 创建请求 URL 和标头

示例:

PUT https://management.azure.com/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01?api-version=2022-06-01

Syslog/CEF DCR 创建请求正文

以下是 DCR 创建请求的示例。 对于每个数据源流(可以在一个 DCR 中具有多个)在节中添加"syslog""dataSources"一个新子节,并根据要引入的消息源设置字段的值"streams"

日志源 "streams" 字段值
Syslog "Microsoft-Syslog"
CEF "Microsoft-CommonSecurityLog"
Cisco ASA "Microsoft-CiscoAsa"

请参阅以下代码示例中的多个流部分的示例:

{
  "location": "centralus",
  "kind": "Linux",
  "properties": {
    "dataSources": {
      "syslog": [
        {
          "name": "localsSyslog",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "auth",
            "local0",
            "local1",
            "local2",
            "local3",
            "syslog"
          ],
          "logLevels": [
            "Critical",
            "Alert",
            "Emergency"
          ]
        },
        {
          "name": "authprivSyslog",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "authpriv"
          ],
          "logLevels": [
            "Error",
            "Alert",
            "Critical",
            "Emergency"
          ]
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/Contoso",
          "workspaceId": "11111111-2222-3333-4444-555555555555",
          "name": "DataCollectionEvent"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Microsoft-Syslog"
        ],
        "destinations": [
          "DataCollectionEvent"
        ]
      }
    ]
  }
}

Syslog/CEF DCR 创建响应

以下是根据上述示例请求应该收到的响应:

  {
    "properties": {
      "immutableId": "dcr-0123456789abcdef0123456789abcdef",
      "dataSources": {
        "syslog": [
          {
            "streams": [
              "Microsoft-Syslog"
            ],
            "facilityNames": [
              "auth",
              "local0",
              "local1",
              "local2",
              "local3",
              "syslog"
            ],
            "logLevels": [
              "Critical",
              "Alert",
              "Emergency"
            ],
            "name": "localsSyslog"
          },
          {
            "streams": [
              "Microsoft-Syslog"
            ],
            "facilityNames": [
              "authpriv"
            ],
            "logLevels": [
              "Error",
              "Alert",
              "Critical",
              "Emergency"
            ],
            "name": "authprivSyslog"
          }
        ]
      },
      "destinations": {
        "logAnalytics": [
          {
            "workspaceResourceId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/Contoso",
            "workspaceId": "11111111-2222-3333-4444-555555555555",
            "name": "DataCollectionEvent"
          }
        ]
      },
      "dataFlows": [
        {
          "streams": [
            "Microsoft-Syslog"
          ],
          "destinations": [
            "DataCollectionEvent"
          ]
        }
      ],
      "provisioningState": "Succeeded"
    },
    "location": "centralus",
    "kind": "Linux",
    "id": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01",
    "name": "Contoso-DCR-01",
    "type": "Microsoft.Insights/dataCollectionRules",
    "etag": "\"00000000-0000-0000-0000-000000000000\"",
    "systemData": {
    }
  }

Syslog/CEF DCRA

Syslog/CEF DCRA 创建请求 URL 和标头

PUT 
https://management.azure.com/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/LogForwarder-VM-1/providers/Microsoft.Insights/dataCollectionRuleAssociations/contoso-dcr-assoc?api-version=2022-06-01

Syslog/CEF DCRA 创建请求正文

{
  "properties": {
    "dataCollectionRuleId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01"
  }
}

Syslog/CEF DCRA 创建响应

{
    "properties": {
      "dataCollectionRuleId": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Insights/dataCollectionRules/Contoso-DCR-01"
    },
    "id": "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/ContosoRG/providers/Microsoft.Compute/virtualMachines/LogForwarder-VM-1/providers/Microsoft.Insights/dataCollectionRuleAssociations/contoso-dcr-assoc",
    "name": "contoso-dcr-assoc",
    "type": "Microsoft.Insights/dataCollectionRuleAssociations",
    "etag": "\"00000000-0000-0000-0000-000000000000\"",
    "systemData": {
    }
  }

文本文件中的自定义日志

以下示例适用于使用 AMA 从文本文件中收集自定义日志的 DCR。

自定义文本日志 DCR

这些示例是用于创建 DCR 的 API 请求。

自定义文本记录 DCR 创建请求正文

下面是自定义日志文件的 DCR 创建请求的示例。 替换为 {PLACEHOLDER_VALUES} 实际值。

outputStream仅当转换更改流的架构时,才需要此参数。

{
    "type": "Microsoft.Insights/dataCollectionRules",
    "name": "{DCR_NAME}",
    "location": "{WORKSPACE_LOCATION}",
    "apiVersion": "2022-06-01",
    "properties": {
        "streamDeclarations": {
            "Custom-Text-{TABLE_NAME}": {
                "columns": [
                    {
                        "name": "TimeGenerated",
                        "type": "datetime"
                    },
                    {
                        "name": "RawData",
                        "type": "string"
                    },
                ]
            }
        },
        "dataSources": {
            "logFiles": [
                {
                    "streams": [ 
                        "Custom-Text-{TABLE_NAME}" 
                    ],
                    "filePatterns": [ 
                        "{LOCAL_PATH_FILE_1}","{LOCAL_PATH_FILE_2}" 
                    ],
                    "format": "text",
                    "name": "Custom-Text-{TABLE_NAME}"
                }
            ],
        },
        "destinations": {
            "logAnalytics": [
                {
                    "workspaceResourceId": "{WORKSPACE_RESOURCE_PATH}",
                    "workspaceId": "{WORKSPACE_ID}",
                    "name": "DataCollectionEvent"
                }
            ],
        },
        "dataFlows": [
            {
                "streams": [
                    "Custom-Text-{TABLE_NAME}" 
                ],
                "destinations": [ 
                    "DataCollectionEvent" 
                ],
                "transformKql": "source",
                "outputStream": "Custom-{TABLE_NAME}"
            }
        ]
    }
}

自定义文本记录 DCR 创建响应

{
    "properties": {
        "immutableId": "dcr-00112233445566778899aabbccddeeff",
        "dataCollectionEndpointId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionEndpoints/Microsoft-Sentinel-aaaabbbbccccddddeeeefff",
        "streamDeclarations": {
            "Custom-Text-ApacheHTTPServer_CL": {
                "columns": [
                    {
                        "name": "TimeGenerated",
                        "type": "datetime"
                    },
                    {
                        "name": "RawData",
                        "type": "string"
                    }
                ]
            }
        },
        "dataSources": {
            "logFiles": [
                {
                    "streams": [
                        "Custom-Text-ApacheHTTPServer_CL"
                    ],
                    "filePatterns": [
                        "C:\\Server\\bin\\log\\Apache24\\logs\\*.log"
                    ],
                    "format": "text",
                    "settings": {
                        "text": {
                            "recordStartTimestampFormat": "ISO 8601"
                        }
                    },
                    "name": "Custom-Text-ApacheHTTPServer_CL"
                }
            ]
        },
        "destinations": {
            "logAnalytics": [
                {
                    "workspaceResourceId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/contoso-rg-1/providers/Microsoft.OperationalInsights/workspaces/CyberSOC",
                    "workspaceId": "cccccccc-3333-4444-5555-dddddddddddd",
                    "name": "DataCollectionEvent"
                }
            ]
        },
        "dataFlows": [
            {
                "streams": [
                    "Custom-Text-ApacheHTTPServer_CL"
                ],
                "destinations": [
                    "DataCollectionEvent"
                ],
                "transformKql": "source",
                "outputStream": "Custom-ApacheHTTPServer_CL"
            }
        ],
        "provisioningState": "Succeeded"
    },
    "location": "centralus",
    "tags": {
        "createdBy": "Sentinel"
    },
    "id": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionRules/DCR-CustomLogs-01",
    "name": "DCR-CustomLogs-01",
    "type": "Microsoft.Insights/dataCollectionRules",
    "etag": "\"00000000-1111-2222-3333-444444444444\"",
    "systemData": {
        "createdBy": "gbarnes@contoso.com",
        "createdByType": "User",
        "createdAt": "2024-08-12T09:29:15.1083961Z",
        "lastModifiedBy": "gbarnes@contoso.com",
        "lastModifiedByType": "User",
        "lastModifiedAt": "2024-08-12T09:29:15.1083961Z"
    }
}