Edge Delta Azure Log Analytics Destination

Send logs to Azure Log Analytics.

3 minute read

Overview

You can configure Edge Delta agents to send logs and other telemetry for downstream processing by Azure Log Analytics.

Note: To ingest logs into Microsoft Sentinel from Azure Log Analytics you should use the Edge Delta Sentinel Destination node and pack.

incoming_data_types: cluster_pattern_and_sample, log, custom.

Note: it is recommended to use separate Azure Logs Analytic nodes to send logs, cluster patterns, or custom data separately.

Prerequisites

See Send Logs to Azure Log Analytics and Sentinel for more details about configuring Azure and retrieving the values required to configure this node.

Example Configuration

- name: Azure Log Analytics Destination
  type: azure_log_analytics_output
  stream_name: Custom-ED_agent_logs_ingestion_CL
  data_collection_endpoint: https://democo.eastus-1.ingest.monitor.azure.com
  data_collection_rule_id: 123-21a4f6c095d54364afa3a52b111432ea
  tenant_id: 12345678-1234-1234-123r-a123b456c789
  client_id: 98765432-4321-3c21-g654-a987b654c321
  client_secret: abcdefghijklmnopqrstuvwxyz12345678910111

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: azure_log_analytics_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

stream_name

You use the stream_name parameter to specify the identifier for the incoming data stream within the Log Analytics workspace. It is configured as a string and is required. See how to get the stream_name here.

Note: You must configure one Azure Destination node per stream name.

data_collection_endpoint

You use the data_collection_endpoint parameter to configure Edge Delta with the endpoint exposed by Azure Monitor for ingesting logs (configured earlier). It is specified as a string and is required. See how to get the data_collection_endpoint here.

data_collection_rule_id

You use the data_collection_rule_id to specify the unique identifier for the Data Collection Rule (DCR), which controls ingestion and forwarding to a destination (configured earlier). It is specified as a string and is required. See how to get the data_collection_rule_id here.

tenant_id

You use the tenant_id parameter to specify the GUID for your Azure AD tenant. It is specified as a string and is required. This parameter can be defined in the node configuration but a best practice is to use secrets management with an environment variable, in which case the AZURE_TENANT_ID environment variable takes priority over this value. See how to get the tenant_id here.

client_id

You use the client_id parameter to specify the GUID for the application or service principal registered in Azure AD and authorized to make API calls. It is specified as a string and is required. This parameter can be defined in the node configuration but a best practice is to use secrets management with an environment variable, in which case the AZURE_CLIENT_ID environment variable takes priority over this value. See how to get the client_id here.

client_secret

You use the client_secret parameter to specify the secret associated with your client ID. It is specified as a string and is required. This parameter can be defined in the node configuration but a best practice is to use secrets management with an environment variable, in which case the AZURE_CLIENT_SECRET environment variable takes priority over this value. See how to get the client_secret here.