| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.component |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configure data sources in Azure Log Analytics | Microsoft Docs |
Data sources define the data that Log Analytics collects from agents and other connected sources. This article describes the concept of how Log Analytics uses data sources, explains the details of how to configure them, and provides a summary of the different data sources available. |
log-analytics |
bwren |
carmonm |
tysonn |
67710115-c861-40f8-a377-57c7fa6909b4 |
log-analytics |
na |
conceptual |
na |
infrastructure-services |
06/26/2018 |
bwren |
Log Analytics collects data from your Connected Sources and stores it in your Log Analytics workspace. The data that is collected from each is defined by the Data Sources that you configure. Data in Log Analytics is stored as a set of records. Each data source creates records of a particular type with each type having its own set of properties.
Data Sources are different than management solutions, which also collect data from Connected Sources and create records in Log Analytics. In addition to collecting data, solutions typically include log searches and views to help you analyze the operation of a particular application or service.
The following table lists the data sources that are currently available in Log Analytics. Each has a link to a separate article providing detail for that data source. It also provides information on their method and frequency of data collection into Log Analytics. You can use the information in this article to identify the different solutions available and to understand the data flow and connection requirements for different management solutions. For explanations of the columns, see Data collection details for management solutions in Azure.
| Data source | Platform | Microsoft monitoring agent | Operations Manager agent | Azure storage | Operations Manager required? | Operations Manager agent data sent via management group | Collection frequency | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Custom logs | Windows |• | | | | | on arrival | | Custom logs | Linux |• | | | | | on arrival | | IIS logs | Windows |• |• |• | | |depends on Log File Rollover setting | | Performance counters | Windows |• |• | | | |as scheduled, minimum of 10 seconds | | Performance counters | Linux |• | | | | |as scheduled, minimum of 10 seconds | | Syslog | Linux |• | | | | |from Azure storage: 10 minutes; from agent: on arrival | | Windows Event logs |Windows |• |• |• | |• | on arrival |
You configure data sources from the Data menu in Log Analytics Advanced Settings. Any configuration is delivered to all connected sources in your workspace. You cannot currently exclude any agents from this configuration.
- In the Azure portal, select Log Analytics > your workspace > Advanced Settings.
- Select Data.
- Click on the data source you want to configure.
- Follow the link to the documentation for each data source in the above table for details on their configuration.
Data source configurations are delivered to agents that are directly connected to Log Analytics within a few minutes. The specified data is collected from the agent and delivered directly to Log Analytics at intervals specific to each data source. See the documentation for each data source for these specifics.
For System Center Operations Manager agents in a connected management group, data source configurations are translated into management packs and delivered to the management group every 5 minutes by default. The agent downloads the management pack like any other and collects the specified data. Depending on the data source, the data will be either sent to a management server which forwards the data to the Log Analytics, or the agent will send the data to Log Analytics without going through the management server. See Data collection details for management solutions in Azure for details. You can read about details of connecting Operations Manager and Log Analytics and modifying the frequency that configuration is delivered at Configure Integration with System Center Operations Manager.
If the agent is unable to connect to Log Analytics or Operations Manager, it will continue to collect data that it will deliver when it establishes a connection. Data can be lost if the amount of data reaches the maximum cache size for the client, or if the agent is not able to establish a connection within 24 hours.
All data collected by Log Analytics is stored in the workspace as records. Records collected by different data sources will have their own set of properties and be identified by their Type property. See the documentation for each data source and solution for details on each record type.
- Learn about solutions that add functionality to Log Analytics and also collect data into the workspace.
- Learn about log searches to analyze the data collected from data sources and solutions.
- Configure alerts to proactively notify you of critical data collected from data sources and solutions.