Have you encountered a scenario where you need to create a custom table in Log Analytics (or Sentinel) to collect custom logs? One of the key steps in this process is setting the 'Schema and Transformation,' which requires uploading sample logs in JSON format.
Now, the issue is that we might not be having the sample logs in the JSON format.
As a workaround, you can create custom logs using the CLI interface. By following the steps outlined in the article - Add or delete tables and columns in Azure Monitor Logs - Azure Monitor | Microsoft Learn
Run the following commands on Azure CLI to create the custom table -
$tableParams = @' { "properties": { "schema": { "name": "MyTable_CL", "columns": [ { "name": "TimeGenerated", "type": "DateTime" }, { "name": "RawData", "type": "String" } ] } } } '@ |
Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/MyTable_CL?api-version=2021-12-01-preview" -Method PUT -payload $tableParams |
Once these commands are executed you will see the custom table is created in the log analytics workspace.
Now, go to the Monitor and create a DCR for collecting the custom logs.
In the data source, choose the 'custom text logs'.
Under file pattern - Define the list of comma separated file patterns for the form C:\DirectoryName\ *.log
Under the table name - The name of the table that was already created in the Log Analytics workspace and where we will be storing these logs. Mention the name of the table which we create using the azure cli.
Once done, then specify the destination. These steps will help you in collecting the custom logs from the devices.
Disclaimer
The views expressed in this blog post are solely my own and do not represent those of my employer or any clients. The views and opinions expressed in this blog post are based on references from Microsoft articles. Assistance from ChatGPT is taken for customizing the blog.
Comments