Merge pull request #195265 from bwren/iis-log

Add IIS to text logs

Author: v-regandowner

articles/azure-monitor/agents/data-collection-text-log.md

@@ -1,33 +1,26 @@
 ---
-title: Collect text logs with Azure Monitor agent (preview)
+title: Collect text and IIS logs with Azure Monitor agent (preview)
 description: Configure collection of filed-based text logs using a data collection rule on virtual machines with the Azure Monitor agent.
 ms.topic: conceptual
-ms.date: 04/08/2022
+ms.date: 04/15/2022
 
 ---
 
-# Collect text logs with Azure Monitor agent (preview)
-This tutorial shows you how to configure the collection of file-based text logs with the [Azure Monitor agent](azure-monitor-agent-overview.md) and sending the collected data to a custom table in a Log Analytics workspace. This feature uses a [data collection rule](../essentials/data-collection-rule-overview.md) that you can use to define the structure of the log file and its target table. 
+# Collect text and IIS logs with Azure Monitor agent (preview)
+This article describes how to configure the collection of file-based text logs, including logs generated by IIS on Windows computers, with the [Azure Monitor agent](azure-monitor-agent-overview.md). Many applications log information to text files instead of standard logging services such as Windows Event log or Syslog. 
 
 > [!NOTE]
 > This feature is currently in public preview and isn't completely implemented in the Azure portal. This tutorial uses Azure Resource Manager templates for steps that can't yet be performed with the portal.
 
-In this tutorial, you learn to:
-
-> [!div class="checklist"]
-> * Create a custom table in a Log Analytics workspace.
-> * Create a data collection endpoint to receive data from an agent.
-> * Create a data collection rule that collects data from both a custom text log file.
-> * Create an association to apply the data collection rule to agents.
 ## Prerequisites
-To complete this tutorial, you need the following: 
+To complete this procedure, you need the following: 
 
 - Log Analytics workspace where you have at least [contributor rights](../logs/manage-access.md#manage-access-using-azure-permissions) .
 - [Permissions to create Data Collection Rule objects](/azure/azure-monitor/essentials/data-collection-rule-overview#permissions) in the workspace.
 - An agent with supported log file as described in the next section.
 
 ## Log files supported
-The log file must meet the following criteria to be collected by this feature:
+IIS logs must be in W3C format. Other log files must meet the following criteria to be collected:
 
 - The log file must be stored on a local drive of a virtual machine, virtual machine scale set, or Arc enabled server with the Azure Monitor installed.
 - Each entry in the log file must be delineated with an [ISO 8601 formatted](https://www.iso.org/standard/40874.html) time stamp or an end of line.
@@ -37,15 +30,18 @@ The log file must meet the following criteria to be collected by this feature:
 ## Steps to collect text logs
 The steps to configure log collection are as follows. The detailed steps for each are provided in the sections below:
 
-1. Create a new table in your workspace to receive the collected data.
+1. Create a new table in your workspace to receive the collected data. (not required for IIS logs)
 2. Create a data collection endpoint for the Azure Monitor agent to connect.
 3. Create a data collection rule to define the structure of the log file and destination of the collected data.
 4. Create association between the data collection rule and the agent collecting the log file.
 
 ## Create new table in Log Analytics workspace
 The custom table must be created before you can send data to it. When you create the table, you provide its name and a definition for each of its columns. 
 
-Use the **Tables - Update** API to create the table with the PowerShell code below. This code creates a table called *MyTable_CL* with two columns. You can modify this schema to collect a different table. 
+>[!NOTE]
+> This step isn't required to collect an IIS log. The table [W3CIISLog](/azure/azure-monitor/reference/tables/w3ciislog) will be used for IIS logs.
+
+Use the **Tables - Update** API to create the table with the PowerShell code below. This code creates a table called *MyTable_CL* with two columns. Modify this schema to collect a different table. 
 
 > [!IMPORTANT]
 > Custom tables must use a suffix of *_CL*.
@@ -96,7 +92,6 @@ A [data collection endpoint (DCE)](../essentials/data-collection-endpoint-overvi
 
     :::image type="content" source="../logs/media/tutorial-ingestion-time-transformations-api/edit-template.png" lightbox="../logs/media/tutorial-ingestion-time-transformations-api/edit-template.png" alt-text="Screenshot that shows portal blade to edit Resource Manager template.":::
 
-
     ```json
     {
         "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -143,6 +138,7 @@ A [data collection endpoint (DCE)](../essentials/data-collection-endpoint-overvi
     }
     ```
 
+
 4. On the **Custom deployment** screen, specify a **Subscription** and **Resource group** to store the data collection rule and then provide values a **Name** for the data collection endpoint. The **Location** should be the same location as the workspace. The **Region** will already be populated and is used for the location of the data collection endpoint.
 
     :::image type="content" source="../logs/media/tutorial-ingestion-time-transformations-api/custom-deployment-values.png" lightbox="../logs/media/tutorial-ingestion-time-transformations-api/custom-deployment-values.png" alt-text="Screenshot that shows portal blade to edit custom deployment values for data collection endpoint.":::
@@ -173,19 +169,18 @@ The [data collection rule (DCR)](../essentials/data-collection-rule-overview.md)
 
     :::image type="content" source="../logs/media/tutorial-ingestion-time-transformations-api/build-custom-template.png" lightbox="../logs/media/tutorial-ingestion-time-transformations-api/build-custom-template.png" alt-text="Screenshot that shows portal blade to build template in the editor.":::
 
-3. Paste the Resource Manager template below into the editor and then change the following values:
-
-    You may choose to modify the following details in the DCR defined in this template:
+3. Paste one of the Resource Manager templates below into the editor and then change the following values:
 
     - `streamDeclarations`: Defines the columns of the incoming data. This must match the structure of the log file.
     - `filePatterns`: Specifies the location and file pattern of the log files to collect. This defines a separate pattern for Windows and Linux agents.
-    - `transformKql`: Specifies a [transformation](../logs/../essentials/data-collection-rule-transformations.md) to apply to the incoming data before it's sent to the workspace. Since data collection rules for Azure Monitor agent don't yet support transformations, this value will always be `source`.
+    - `transformKql`: Specifies a [transformation](../logs/../essentials/data-collection-rule-transformations.md) to apply to the incoming data before it's sent to the workspace. Data collection rules for Azure Monitor agent don't yet support transformations, so this value should currently be `source`.
 
 
 4. Click **Save**.
 
     :::image type="content" source="../logs/media/tutorial-ingestion-time-transformations-api/edit-template.png" lightbox="../logs/media/tutorial-ingestion-time-transformations-api/edit-template.png" alt-text="Screenshot that shows portal blade to edit Resource Manager template.":::
 
+    **Data collection rule for text log**
 
     ```json
     {
@@ -235,7 +230,7 @@ The [data collection rule (DCR)](../essentials/data-collection-rule-overview.md)
                 "name": "[parameters('dataCollectionRuleName')]",
                 "location": "[parameters('location')]",
                 "apiVersion": "2021-09-01-preview",
-            "properties": {
+                "properties": {
                     "dataCollectionEndpointId": "[parameters('endpointResourceId')]",
                     "streamDeclarations": {
                         "Custom-MyLogFileFormat": {
@@ -283,7 +278,6 @@ The [data collection rule (DCR)](../essentials/data-collection-rule-overview.md)
                                 },
                                 "name": "myLogFileFormat-Linux"
                             }
-
                         ]
                     },
                     "destinations": {
@@ -318,6 +312,102 @@ The [data collection rule (DCR)](../essentials/data-collection-rule-overview.md)
     }
     ```
 
+    **Data collection rule for IIS log**
+
+    ```json
+    {
+        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+        "contentVersion": "1.0.0.0",
+        "parameters": {
+            "dataCollectionRuleName": {
+                "type": "string",
+                "metadata": {
+                    "description": "Specifies the name of the Data Collection Rule to create."
+                }
+            },
+            "location": {
+                "type": "string",
+            "defaultValue": "westus2",
+                "allowedValues": [
+                    "westus2",
+                    "eastus2",
+                    "eastus2euap"
+                ],
+                "metadata": {
+                    "description": "Specifies the location in which to create the Data Collection Rule."
+                }
+            },
+            "workspaceName": {
+                "type": "string",
+                "metadata": {
+                    "description": "Name of the Log Analytics workspace to use."
+                }
+            },
+            "workspaceResourceId": {
+                "type": "string",
+                "metadata": {
+                    "description": "Specifies the Azure resource ID of the Log Analytics workspace to use."
+                }
+            },
+            "endpointResourceId": {
+                "type": "string",
+                "metadata": {
+                    "description": "Specifies the Azure resource ID of the Data Collection Endpoint to use."
+                }
+            }
+        },
+        "resources": [
+            {
+                "type": "Microsoft.Insights/dataCollectionRules",
+                "name": "[parameters('dataCollectionRuleName')]",
+                "location": "[parameters('location')]",
+                "apiVersion": "2021-09-01-preview",
+                "properties": {
+                    "dataCollectionEndpointId": "[parameters('endpointResourceId')]",
+                    "dataSources": {
+                        "iisLogs": [
+                            {
+                                "streams": [
+                                    "Microsoft-W3CIISLog"
+                                ],
+                                "logDirectories": [
+                                    "C:\\inetpub\\logs\\LogFiles\\*.log"
+                                ],
+                                "name": "myIisLogsDataSource"
+                            }
+                        ]
+                    },
+                    "destinations": {
+                        "logAnalytics": [
+                            {
+                                "workspaceResourceId": "[parameters('workspaceResourceId')]",
+                                "name": "[parameters('workspaceName')]"
+                            }
+                        ]
+                    },
+                    "dataFlows": [
+                        {
+                            "streams": [
+                                "Microsoft-W3CIISLog"
+                            ],
+                            "destinations": [
+                                "[parameters('workspaceName')]"
+                            ],
+                            "transformKql": "source"
+                        }
+                    ]
+                }
+            }
+        ],
+        "outputs": {
+            "dataCollectionRuleId": {
+                "type": "string",
+                "value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]"
+            }
+        }
+    }
+    ```
+
 5. On the **Custom deployment** screen, specify a **Subscription** and **Resource group** to store the data collection rule and then provide values defined in the template. This includes a **Name** for the data collection rule and the **Workspace Resource ID** and **Endpoint Resource ID**. The **Location** should be the same location as the workspace. The **Region** will already be populated and is used for the location of the data collection rule.
 
     :::image type="content" source="media/data-collection-text-log/custom-deployment-values.png" lightbox="media/data-collection-text-log/custom-deployment-values.png" alt-text="Screenshot that shows portal blade to edit custom deployment values for data collection rule.":::

articles/azure-monitor/toc.yml

@@ -502,7 +502,7 @@ items:
         - name: Collect events and performance
           displayName: data collection rule,Azure Monitor agent
           href: agents/data-collection-rule-azure-monitor-agent.md
-        - name: Collect text Logs
+        - name: Collect text and IIS Logs
           displayName: data collection rule,Azure Monitor agent
           href: agents/data-collection-text-log.md
       - name: Use data collection endpoints