Last active
February 10, 2024 22:47
-
-
Save jlaundry/a37c0d1d8929ad103517c3efff61f7a1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "dataCollectionRuleName": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Specifies the name of the Data Collection Rule to create." | |
| } | |
| }, | |
| "location": { | |
| "defaultValue": "[resourceGroup().location]", | |
| "type": "string", | |
| "metadata": { | |
| "description": "Specifies the location in which to create the Data Collection Rule." | |
| } | |
| }, | |
| "workspaceResourceId": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Specifies the Azure resource ID of the Log Analytics workspace to use." | |
| } | |
| }, | |
| "endpointResourceId": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Specifies the Azure resource ID of the Data Collection Endpoint to use." | |
| } | |
| } | |
| }, | |
| "resources": [ | |
| { | |
| "type": "Microsoft.Insights/dataCollectionRules", | |
| "apiVersion": "2021-09-01-preview", | |
| "name": "[parameters('dataCollectionRuleName')]", | |
| "location": "[parameters('location')]", | |
| "properties": { | |
| "dataCollectionEndpointId": "[parameters('endpointResourceId')]", | |
| "streamDeclarations": { | |
| "Custom-SyslogStream": { | |
| "columns": [ | |
| { | |
| "name": "TimeGenerated", | |
| "type": "datetime" | |
| }, | |
| { | |
| "name": "CommunicationDirection", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "Computer", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "DestinationIP", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "DestinationMACAddress", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "DestinationPort", | |
| "type": "int" | |
| }, | |
| { | |
| "name": "DeviceAction", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "DeviceCustomString1", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "DeviceInboundInterface", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "DeviceOutboundInterface", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "ProcessName", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "Protocol", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "ReceiptTime", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "ReceivedBytes", | |
| "type": "long" | |
| }, | |
| { | |
| "name": "SourceIP", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "SourceMACAddress", | |
| "type": "string" | |
| }, | |
| { | |
| "name": "SourcePort", | |
| "type": "int" | |
| }, | |
| { | |
| "name": "Message", | |
| "type": "string" | |
| } | |
| ] | |
| } | |
| }, | |
| "destinations": { | |
| "logAnalytics": [ | |
| { | |
| "workspaceResourceId": "[parameters('workspaceResourceId')]", | |
| "name": "clv2ws1" | |
| } | |
| ] | |
| }, | |
| "dataFlows": [ | |
| { | |
| "streams": [ | |
| "Custom-SyslogStream" | |
| ], | |
| "destinations": [ | |
| "clv2ws1" | |
| ], | |
| "transformKql": "source", | |
| "outputStream": "Microsoft-CommonSecurityLog" | |
| } | |
| ] | |
| } | |
| } | |
| ], | |
| "outputs": { | |
| "dataCollectionRuleId": { | |
| "type": "string", | |
| "value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment