Azure Logs
Synopsis
Creates an Azure Logs client that queries Log Analytics workspaces using Kusto Query Language (KQL). Collects log data from specified tables with configurable batch sizes and collection frequencies.
Schema
- id: <numeric>
name: <string>
description: <string>
type: azlogs
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
tenant_id: <string>
client_id: <string>
client_secret: <string>
workspace_id: <string>
stream: <string[]>
batch_size: <numeric>
event_frequency: <numeric>
Configuration
The following fields are used to define the device.
Device
| Field | Required | Default | Description |
|---|---|---|---|
id | Y | Unique identifier | |
name | Y | Device name | |
description | N | - | Optional description |
type | Y | Must be azlogs | |
tags | N | - | Optional tags |
pipelines | N | - | Optional pre-processor pipelines |
status | N | true | Enable/disable the device |
Authentication
| Field | Required | Default | Description |
|---|---|---|---|
tenant_id | Y | Azure tenant ID | |
client_id | Y | Azure client ID | |
client_secret | Y | Azure client secret | |
workspace_id | Y | Log Analytics workspace ID |
Events
| Field | Required | Default | Description |
|---|---|---|---|
stream | Y | Array of Log Analytics queries to collect | |
batch_size | N | 1000 | Number of log entries to collect per batch |
event_frequency | N | 300 | Collection frequency in seconds |
Examples
The following are commonly used configuration types.
Basic
The minimum required configuration:
Creating a basic collector... | |
Multiple Streams
The collecter can consume multiple log types with pre-processing:
Specifying multiple log streams... | |
The security_events pipeline can be used to process and enrich security-related log entries before ingestion.
High Volumes
Performance can be enhanced for high log volumes:
Optimizing for high volumes... | |
Large batch sizes may impact memory usage and processing time. Monitor system resources and adjust accordingly.