You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/vm/monitor-virtual-machine-data-collection.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -90,14 +90,14 @@ For more granular filtering by criteria such as event ID, you can create a custo
90
90
Use the following guidance as a recommended starting point for event collection. Modify the DCR settings to filter unneeded events and add other events depending on your requirements.
91
91
92
92
| Source | Strategy |
93
-
|--------|----------|
93
+
|:---|:---|
94
94
| Windows events | Collect at least **Critical**, **Error**, and **Warning** events for the **System** and **Application** logs to support alerting. Add **Information** events to analyze trends and support troubleshooting. **Verbose** events are rarely useful and typically shouldn't be collected. |
95
95
| Syslog events | Collect at least **LOG_WARNING** events for each facility to support alerting. Add **Information** events to analyze trends and support troubleshooting. **LOG_DEBUG** events are rarely useful and typically shouldn't be collected. |
96
96
97
97
### Sample log queries: Windows events
98
98
99
99
| Query | Description |
100
-
|---------|-------------|
100
+
|:---|:---|
101
101
| Event | All Windows events |
102
102
| Event | where EventLevelName == "Error"` |All Windows events with severity of error |
103
103
| Event | summarize count() by Source` |Count of Windows events by source |
@@ -106,7 +106,7 @@ Use the following guidance as a recommended starting point for event collection.
106
106
### Sample log queries: Syslog events
107
107
108
108
| Query | Description |
109
-
|----------|-------------|
109
+
|:---|:---|
110
110
| Syslog |All Syslogs |
111
111
| Syslog | where SeverityLevel == "error"` |All Syslog records with severity of error |
112
112
| Syslog | summarize AggregatedValue = count() by Computer` |Count of Syslog records by computer |
@@ -128,15 +128,15 @@ For guidance on creating a DCR to collect performance counters, see [Collect eve
128
128
> You might choose to combine performance and event collection in the same DCR.
129
129
130
130
Destination | Description |
131
-
|------------|-------------|
131
+
|:---|:---|
132
132
| Metrics | Host metrics are automatically sent to Azure Monitor Metrics. You can use a DCR to collect client metrics so that they can be analyzed together with [metrics explorer](../essentials/metrics-getting-started.md) or used with [metrics alerts](../alerts/alerts-create-new-alert-rule.md?tabs=metric). This data is stored for 93 days. |
133
133
| Logs | Performance data stored in Azure Monitor Logs can be stored for extended periods. The data can be analyzed along with your event data by using [log queries](../logs/log-query-overview.md) with [Log Analytics](../logs/log-analytics-overview.md) or [log query alerts](../alerts/alerts-create-new-alert-rule.md?tabs=log). You can also correlate data by using complex logic across multiple machines, regions, and subscriptions.<br><br>Performance data is sent to the following tables:<br>VM insights - [InsightsMetrics](/azure/azure-monitor/reference/tables/insightsmetrics)<br>Other performance data - [Perf](/azure/azure-monitor/reference/tables/perf)|
134
134
135
135
### Sample log queries
136
136
The following samples use the `Perf` table with custom performance data. For information on performance data collected by VM insights, see [How to query logs from VM insights](../vm/vminsights-log-query.md#performance-records).
137
137
138
138
| Query | Description |
139
-
|--------|-------------|
139
+
|:---|:---|
140
140
| Perf | All Performance data |
141
141
| Perf | where Computer == "MyComputer"` |All Performance data from a particular computer |
142
142
| Perf | where CounterName == "Current Disk Queue Length"` |All Performance data for a particular counter |
@@ -156,7 +156,7 @@ Some applications write events written to a text log stored on the virtual machi
156
156
The column names used here are examples only. The column names for your log will most likely be different.
157
157
158
158
| Query | Description |
159
-
|------------|-------------|
159
+
|:---|:---|
160
160
| MyApp_CL | summarize count() by code` | Count the number of events by code. |
161
161
| MyApp_CL | where status == "Error" | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)` | Create an alert rule on any error event. |
162
162
@@ -168,7 +168,7 @@ Records from the IIS log are stored in the [W3CIISLog](/azure/azure-monitor/refe
168
168
### Sample log queries
169
169
170
170
| Query | Description |
171
-
|-------------|-------------|
171
+
|:---|:---|
172
172
| W3CIISLog | where csHost=="www.contoso.com" | summarize count() by csUriStem` | Count the IIS log entries by URL for the host www.contoso.com.|
173
173
| W3CIISLog | summarize sum(csBytes) by Computer` | Review the total bytes received by each IIS machine. |
174
174
@@ -185,7 +185,7 @@ For different options to enable the Change Tracking solution on your virtual mac
185
185
When you enable Change Tracking and Inventory, two new tables are created in your Log Analytics workspace. Use these tables for logs queries and log query alert rules.
186
186
187
187
| Table | Description |
188
-
|-------|-------------|
188
+
|:---|:---|
189
189
|[ConfigurationChange](/azure/azure-monitor/reference/tables/configurationdata)| Changes to in-guest configuration data |
190
190
|[ConfigurationData](/azure/azure-monitor/reference/tables/configurationdata)| Last reported state for in-guest configuration data |
0 commit comments