| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Use PowerShell to Create and Configure a Log Analytics Workspace | Microsoft Docs |
Log Analytics uses data from servers in your on-premises or cloud infrastructure. You can collect machine data from Azure storage when generated by Azure diagnostics. |
log-analytics |
richrundmsft |
jochan |
3b9b7ade-3374-4596-afb1-51b695f481c2 |
log-analytics |
na |
na |
powershell |
article |
11/21/2016 |
richrund |
You can use the Log Analytics PowerShell cmdlets to perform various functions in Log Analytics from a command line or as part of a script. Examples of the tasks you can perform with PowerShell include:
- Create a workspace
- Add or remove a solution
- Import and export saved searches
- Create a computer group
- Enable collection of IIS logs from computers with the Windows agent installed
- Collect performance counters from Linux and Windows computers
- Collect events from syslog on Linux computers
- Collect events from Windows event logs
- Collect custom event logs
- Add the log analytics agent to an Azure virtual machine
- Configure log analytics to index data collected using Azure diagnostics
This article provides two code samples that illustrate some of the functions that you can perform from PowerShell. You can refer to the Log Analytics PowerShell cmdlet reference for other functions.
Note
Log Analytics was previously called Operational Insights, which is why it is the name used in the cmdlets.
These examples work with version 2.3.0 or later of the AzureRm.OperationalInsights module.
The following script sample illustrates how to:
- Create a workspace
- List the available solutions
- Add solutions to the workspace
- Import saved searches
- Export saved searches
- Create a computer group
- Enable collection of IIS logs from computers with the Windows agent installed
- Collect Logical Disk perf counters from Linux computers (% Used Inodes; Free Megabytes; % Used Space; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec)
- Collect syslog events from Linux computers
- Collect Error and Warning events from the Application Event Log from Windows computers
- Collect Memory Available Mbytes performance counter from Windows computers
- Collect a custom log
$ResourceGroup = "oms-example"
$WorkspaceName = "log-analytics-" + (Get-Random -Maximum 99999) # workspace names need to be unique - Get-Random helps with this for the example code
$Location = "westeurope"
# List of solutions to enable
$Solutions = "Security", "Updates", "SQLAssessment"
# Saved Searches to import
$ExportedSearches = @"
[
{
"Category": "My Saved Searches",
"DisplayName": "WAD Events (All)",
"Query": "Type=Event SourceSystem:AzureStorage ",
"Version": 1
},
{
"Category": "My Saved Searches",
"DisplayName": "Current Disk Queue Length",
"Query": "Type=Perf ObjectName=LogicalDisk InstanceName=\"C:\" CounterName=\"Current Disk Queue Length\"",
"Version": 1
}
]
"@ | ConvertFrom-Json
# Custom Log to collect
$CustomLog = @"
{
"customLogName": "sampleCustomLog1",
"description": "Example custom log datasource",
"inputs": [
{
"location": {
"fileSystemLocations": {
"windowsFileTypeLogPaths": [ "e:\\iis5\\*.log" ],
"linuxFileTypeLogPaths": [ "/var/logs" ]
}
},
"recordDelimiter": {
"regexDelimiter": {
"pattern": "\\n",
"matchIndex": 0,
"matchIndexSpecified": true,
"numberedGroup": null
}
}
}
],
"extractions": [
{
"extractionName": "TimeGenerated",
"extractionType": "DateTime",
"extractionProperties": {
"dateTimeExtraction": {
"regex": null,
"joinStringRegex": null
}
}
}
]
}
"@
# Create the resource group if needed
try {
Get-AzureRmResourceGroup -Name $ResourceGroup -ErrorAction Stop
} catch {
New-AzureRmResourceGroup -Name $ResourceGroup -Location $Location
}
# Create the workspace
New-AzureRmOperationalInsightsWorkspace -Location $Location -Name $WorkspaceName -Sku Standard -ResourceGroupName $ResourceGroup
# List all solutions and their installation status
Get-AzureRmOperationalInsightsIntelligencePacks -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName
# Add solutions
foreach ($solution in $Solutions) {
Set-AzureRmOperationalInsightsIntelligencePack -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -IntelligencePackName $solution -Enabled $true
}
#List enabled solutions
(Get-AzureRmOperationalInsightsIntelligencePacks -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Where({($_.enabled -eq $true)})
# Import Saved Searches
foreach ($search in $ExportedSearches) {
$id = $search.Category + "|" + $search.DisplayName
New-AzureRmOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}
# Export Saved Searches
(Get-AzureRmOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json
# Create Computer Group based on a query
New-AzureRmOperationalInsightsComputerGroup -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId "My Web Servers" -DisplayName "Web Servers" -Category "My Saved Searches" -Query "Computer=""web*"" | distinct Computer" -Version 1
# Create a computer group based on names (up to 5000)
$computerGroup = """servername1.contoso.com"",""servername2.contoso.com"",""servername3.contoso.com"",""servername4.contoso.com"""
New-AzureRmOperationalInsightsComputerGroup -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId "My Named Servers" -DisplayName "Named Servers" -Category "My Saved Searches" -Query $computerGroup -Version 1
# Enable IIS Log Collection using agent
Enable-AzureRmOperationalInsightsIISLogCollection -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName
# Linux Perf
New-AzureRmOperationalInsightsLinuxPerformanceObjectDataSource -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -ObjectName "Logical Disk" -InstanceName "*" -CounterNames @("% Used Inodes", "Free Megabytes", "% Used Space", "Disk Transfers/sec", "Disk Reads/sec", "Disk Reads/sec", "Disk Writes/sec") -IntervalSeconds 20 -Name "Example Linux Disk Performance Counters"
Enable-AzureRmOperationalInsightsLinuxCustomLogCollection -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName
# Linux Syslog
New-AzureRmOperationalInsightsLinuxSyslogDataSource -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -Facility "kern" -CollectEmergency -CollectAlert -CollectCritical -CollectError -CollectWarning -Name "Example kernal syslog collection"
Enable-AzureRmOperationalInsightsLinuxSyslogCollection -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName
# Windows Event
New-AzureRmOperationalInsightsWindowsEventDataSource -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -EventLogName "Application" -CollectErrors -CollectWarnings -Name "Example Application Event Log"
# Windows Perf
New-AzureRmOperationalInsightsWindowsPerformanceCounterDataSource -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -ObjectName "Memory" -InstanceName "*" -CounterName "Available MBytes" -IntervalSeconds 20 -Name "Example Windows Performance Counter"
# Custom Logs
New-AzureRmOperationalInsightsCustomLogDataSource -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -CustomLogRawJson "$CustomLog" -Name "Example Custom Log Collection"
For agentless monitoring of Azure resources, the resources need to have Azure diagnostics enabled and configured to write to a Log Analytics workspace. This approach sends data directly to Log Analytics and does not require data to be written to a storage account. Supported resources include:
| Resource Type | Logs | Metrics |
|---|---|---|
| Application Gateways | Yes | Yes |
| Automation accounts | Yes | |
| Batch accounts | Yes | Yes |
| Data Lake analytics | Yes | |
| Data Lake store | Yes | |
| Elastic SQL Pool | Yes | |
| Event Hub namespace | Yes | |
| IoT Hubs | Yes | |
| Key Vault | Yes | |
| Load Balancers | Yes | |
| Logic Apps | Yes | Yes |
| Network Security Groups | Yes | |
| Redis Cache | Yes | |
| Search services | Yes | Yes |
| Service Bus namespace | Yes | |
| SQL (v12) | Yes | |
| Web Sites | Yes | |
| Web Server farms | Yes |
For the details of the available metrics, refer to supported metrics with Azure Monitor.
For the details of the available logs, refer to supported services and schema for diagnostic logs.
$workspaceId = "/subscriptions/d2e37fee-1234-40b2-5678-0b2199de3b50/resourcegroups/oi-default-east-us/providers/microsoft.operationalinsights/workspaces/rollingbaskets"
$resourceId = "/SUBSCRIPTIONS/ec11ca60-1234-491e-5678-0ea07feae25c/RESOURCEGROUPS/DEMO/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DEMO"
Set-AzureRmDiagnosticSetting -ResourceId $resourceId -WorkspaceId $workspaceId -Enabled $true
You can also use the preceding cmdlet to collect logs from resources that are in different subscriptions. The cmdlet is able to work across subscriptions since you are providing the id of both the resource creating logs and the workspace the logs are sent to.
To collect log data from within a running instance of a classic cloud service or a service fabric cluster, you need to first write the data to Azure storage. Log Analytics is then configured to collect the logs from the storage account. Supported resources include:
- Classic cloud services (web and worker roles)
- Service fabric clusters
The following example shows how to:
- List the existing storage accounts and locations that Log Analytics will index data from
- Create a configuration to read from a storage account
- Update the newly created configuration to index data from additional locations
- Delete the newly created configuration
# validTables = "WADWindowsEventLogsTable", "LinuxsyslogVer2v0", "WADServiceFabric*EventTable", "WADETWEventTable"
$workspace = (Get-AzureRmOperationalInsightsWorkspace).Where({$_.Name -eq "your workspace name"})
# Update these two lines with the storage account resource ID and the storage account key for the storage account you want to Log Analytics to
$storageId = "/subscriptions/ec11ca60-1234-491e-5678-0ea07feae25c/resourceGroups/demo/providers/Microsoft.Storage/storageAccounts/wadv2storage"
$key = "abcd=="
# List existing insights
Get-AzureRmOperationalInsightsStorageInsight -ResourceGroupName $workspace.ResourceGroupName -WorkspaceName $workspace.Name
# Create a new insight
New-AzureRmOperationalInsightsStorageInsight -ResourceGroupName $workspace.ResourceGroupName -WorkspaceName $workspace.Name -Name "newinsight" -StorageAccountResourceId $storageId -StorageAccountKey $key -Tables @("WADWindowsEventLogsTable") -Containers @("wad-iis-logfiles")
# Update existing insight
Set-AzureRmOperationalInsightsStorageInsight -ResourceGroupName $workspace.ResourceGroupName -WorkspaceName $workspace.Name -Name "newinsight" -Tables @("WADWindowsEventLogsTable", "WADETWEventTable") -Containers @("wad-iis-logfiles")
# Remove the insight
Remove-AzureRmOperationalInsightsStorageInsight -ResourceGroupName $workspace.ResourceGroupName -WorkspaceName $workspace.Name -Name "newinsight"
You can also use the preceding script to collect logs from storage accounts in different subscriptions. The script is able to work across subscriptions since you are providing the storage account resource id and a corresponding access key. When you change the access key, you need to update the storage insight to have the new key.
- Review Log Analytics PowerShell cmdlets for additional information on using PowerShell for configuration of Log Analytics.