Skip to content
This repository has been archived by the owner on Jan 30, 2025. It is now read-only.

Commit

Permalink
Support data collection rule (Azure#331)
Browse files Browse the repository at this point in the history
  • Loading branch information
@SenthuranSivananthan
SenthuranSivananthan authored Aug 17, 2022
1 parent c2afa0d commit e069a4b
Show file tree
Hide file tree
Showing 15 changed files with 800 additions and 2 deletions.
46 changes: 46 additions & 0 deletions azresources/monitor/dcr-azure-monitor-logs.bicep
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
@description('Location for the deployment.')
param location string = resourceGroup().location

@description('Name of the data collection rule')
param name string

@description('Windows Event Logs data source configuration.')
param windowsEventLogs array

@description('syslog data source configuration.')
param syslog array

@description('Log Analytics Workspace Id')
param logAnalyticsWorkspaceId string

resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
name: name
location: location
properties: {
dataSources: {
windowsEventLogs: windowsEventLogs
syslog: syslog
}
destinations: {
logAnalytics: [
{
name: 'logAnalytics'
workspaceResourceId: logAnalyticsWorkspaceId
}
]
}
dataFlows: [
{
streams: [
'Microsoft-Event'
'Microsoft-Syslog'
]
destinations: [
'logAnalytics'
]
}
]
}
}

output dcrId string = dcr.id
56 changes: 56 additions & 0 deletions config/logging/CanadaESLZ-main/logging.parameters.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,62 @@
},
"logAnalyticsAutomationAccountName": {
"value": "automation-account"
},
"dataCollectionRule": {
"value": {
"enabled": true,
"name": "DCR-AzureMonitorLogs",
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Application!*[System[(Level=1 or Level=2 or Level=3)]]",
"Security!*[System[(band(Keywords,13510798882111488))]]",
"System!*[System[(Level=1 or Level=2 or Level=3)]]"
],
"name": "eventLogsDataSource"
}
],
"syslog": [
{
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"auth",
"authpriv",
"cron",
"daemon",
"mark",
"kern",
"local0",
"local1",
"local2",
"local3",
"local4",
"local5",
"local6",
"local7",
"lpr",
"mail",
"news",
"syslog",
"user",
"uucp"
],
"logLevels": [
"Warning",
"Error",
"Critical",
"Alert",
"Emergency"
],
"name": "sysLogsDataSource"
}
]
}
}
}
}
60 changes: 59 additions & 1 deletion docs/archetypes/logging.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@ Subscription can be moved to a target Management Group through Azure ARM Templat
| Microsoft Defender for Cloud | Configures security contact information (email and phone). |
| Subscription Role Assignments | Configures subscription scoped role assignments. Roles can be built-in or custom. |
| Subscription Budget | Configures monthly subscription budget with email notification. Budget is configured by default for 10 years and the amount. |
| Log Analytics | Configures Automation Account, Log Analytics Workspace and Log Analytics Solutions (AgentHealthAssessment, AntiMalware, AzureActivity, ChangeTracking, Security, SecurityInsights, ServiceMap, SQLAdvancedThreatProtection, SQLAssessment, SQLVulnerabilityAssessment, Updates, VMInsights). **SecurityInsights** solution pack will enable Microsoft Sentinel. |
| Log Analytics | Configures Automation Account, Log Analytics Workspace and Log Analytics Solutions (AgentHealthAssessment, AntiMalware, AzureActivity, ChangeTracking, Security, SecurityInsights, ServiceMap, SQLAdvancedThreatProtection, SQLAssessment, SQLVulnerabilityAssessment, Updates, VMInsights). **SecurityInsights** solution pack will enable Microsoft Sentinel. |
| Data Collection Rule | Configures one data collection rule with Windows Event Logs & syslog data sources. |
| Subscription Tags | A set of tags that are assigned to the subscription. |
| Resource Tags | A set of tags that are assigned to the resource group and resources. These tags must include all required tags as defined the Tag Governance policy. |

Expand Down Expand Up @@ -94,6 +95,7 @@ This example configures:
6. Resource Tags (aligned to the default tags defined in [Policies](../../policy/custom/definitions/policyset/Tags.parameters.json))
7. Automation Account
8. Log Analytics Workspace
9. Data Collection Rule

```json
{
Expand Down Expand Up @@ -171,6 +173,62 @@ This example configures:
},
"logAnalyticsAutomationAccountName": {
"value": "automation-account"
},
"dataCollectionRule": {
"value": {
"enabled": true,
"name": "DCR-AzureMonitorLogs",
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Application!*[System[(Level=1 or Level=2 or Level=3)]]",
"Security!*[System[(band(Keywords,13510798882111488))]]",
"System!*[System[(Level=1 or Level=2 or Level=3)]]"
],
"name": "eventLogsDataSource"
}
],
"syslog": [
{
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"auth",
"authpriv",
"cron",
"daemon",
"mark",
"kern",
"local0",
"local1",
"local2",
"local3",
"local4",
"local5",
"local6",
"local7",
"lpr",
"mail",
"news",
"syslog",
"user",
"uucp"
],
"logLevels": [
"Warning",
"Error",
"Critical",
"Alert",
"Emergency"
],
"name": "sysLogsDataSource"
}
]
}
}
}
}
Expand Down
Binary file modified docs/media/architecture/archetype-logging.jpg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
112 changes: 112 additions & 0 deletions docs/onboarding/azure-devops-pipelines.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -565,6 +565,62 @@ This role assignment is used to grant users access to the logging subscription b
},
"logAnalyticsAutomationAccountName": {
"value": "automation-account"
},
"dataCollectionRule": {
"value": {
"enabled": true,
"name": "DCR-AzureMonitorLogs",
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Application!*[System[(Level=1 or Level=2 or Level=3)]]",
"Security!*[System[(band(Keywords,13510798882111488))]]",
"System!*[System[(Level=1 or Level=2 or Level=3)]]"
],
"name": "eventLogsDataSource"
}
],
"syslog": [
{
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"auth",
"authpriv",
"cron",
"daemon",
"mark",
"kern",
"local0",
"local1",
"local2",
"local3",
"local4",
"local5",
"local6",
"local7",
"lpr",
"mail",
"news",
"syslog",
"user",
"uucp"
],
"logLevels": [
"Warning",
"Error",
"Critical",
"Alert",
"Emergency"
],
"name": "sysLogsDataSource"
}
]
}
}
}
}
Expand Down Expand Up @@ -1683,6 +1739,62 @@ Migration process:
},
"logAnalyticsAutomationAccountName": {
"value": "< value from var-logging-logAnalyticsAutomationAccountName >"
},
"dataCollectionRule": {
"value": {
"enabled": true,
"name": "DCR-AzureMonitorLogs",
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Application!*[System[(Level=1 or Level=2 or Level=3)]]",
"Security!*[System[(band(Keywords,13510798882111488))]]",
"System!*[System[(Level=1 or Level=2 or Level=3)]]"
],
"name": "eventLogsDataSource"
}
],
"syslog": [
{
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"auth",
"authpriv",
"cron",
"daemon",
"mark",
"kern",
"local0",
"local1",
"local2",
"local3",
"local4",
"local5",
"local6",
"local7",
"lpr",
"mail",
"news",
"syslog",
"user",
"uucp"
],
"logLevels": [
"Warning",
"Error",
"Critical",
"Alert",
"Emergency"
],
"name": "sysLogsDataSource"
}
]
}
}
}
}
Expand Down
Binary file modified docs/visio/05 - Archetypes.vsdx
View file
Binary file not shown.
18 changes: 18 additions & 0 deletions landingzones/lz-platform-logging/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,9 @@ param logAnalyticsAutomationAccountName string
@description('Log Analytics Workspace Data Retention in days.')
param logAnalyticsRetentionInDays int

@description('Data Collection Rule configuration.')
param dataCollectionRule object

@description('Flag to determine whether delete lock should be created on resource group(s). Default: true')
param enableDeleteLockOnResourceGroup bool = true

Expand Down Expand Up @@ -227,6 +230,21 @@ module logAnalytics '../../azresources/monitor/log-analytics.bicep' = {
}
}

// Create Data Collection Rule
module dcr '../../azresources/monitor/dcr-azure-monitor-logs.bicep' = if (dataCollectionRule.enabled) {
name: 'deploy-dcr'
scope: rgLogging
params: {
location: location

name: dataCollectionRule.name
windowsEventLogs: dataCollectionRule.windowsEventLogs
syslog: dataCollectionRule.syslog

logAnalyticsWorkspaceId: logAnalytics.outputs.workspaceResourceId
}
}

/*
Scaffold the subscription which includes:
* Microsoft Defender for Cloud - Enable Azure Defender (all available options)
Expand Down
Loading

0 comments on commit e069a4b

Please sign in to comment.