Bicep Module Documentation
← Back to Overview
Module data-collection-rule
dataCollectionRule
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| kind (required) | 'Linux' 'Windows' |
dataCollectionRule |
| identity | identity | Configuration of the User Assigned Managed Identity for this server. (default: none) |
| agentSettings | agentSettings | Agent settings used to modify agent behavior on a given host |
| dataCollectionEndpointId | string | The resource ID of the data collection endpoint that this rule can be used with. |
| dataFlows | dataFlows[] | The specification of data flows. |
| dataSources | dataSources | The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint. |
| description | string | Description of the data collection rule. |
| destinations (required) | destinations | The specification of destinations. |
| references | references | Defines all the references that may be used in other sections of the DCR |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
logs
| Property | Value | Description |
|---|---|---|
| name (required) | 'MaxDiskQuotaInMB' 'UseTimeReceivedForForwardedEvents' |
The name of the setting. |
| value (required) | string | The value of the setting |
agentSettings
| Property | Value | Description |
|---|---|---|
| logs | logs[] | All the settings that are applicable to the logs agent (AMA) |
dataFlows
| Property | Value | Description |
|---|---|---|
| builtInTransform | string | The builtIn transform to transform stream data |
| captureOverflow | bool | Flag to enable overflow column in LA destinations |
| destinations (required) | string[] | List of destinations for this data flow. |
| outputStream | string | The output stream of the transform. Only required if the transform changes data to a different stream. |
| streams (required) | Array containing any of: 'Microsoft-Event' 'Microsoft-InsightsMetrics' 'Microsoft-Perf' 'Microsoft-Syslog' 'Microsoft-WindowsEvent' |
List of streams for this data flow. |
| transformKql | string | The KQL query to transform stream data. |
eventHub
| Property | Value | Description |
|---|---|---|
| consumerGroup (required) | string | Event Hub consumer group name |
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| stream (required) | string | The stream to collect from EventHub |
dataImports
| Property | Value | Description |
|---|---|---|
| eventHub (required) | eventHub | Definition of Event Hub configuration. |
extensions
| Property | Value | Description |
|---|---|---|
| extensionName (required) | string | The name of the VM extension. |
| inputDataSources (required) | string[] | The list of data sources this extension needs data from. |
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| streams (required) | Array containing any of: 'Microsoft-Event' 'Microsoft-InsightsMetrics' 'Microsoft-Perf' 'Microsoft-Syslog' 'Microsoft-WindowsEvent' |
List of streams that this data source will be sent to. |
iisLogs
| Property | Value | Description |
|---|---|---|
| logDirectories (required) | string[] | Absolute paths file location |
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| streams (required) | string[] | IIS streams |
| transformKql | string | The KQL query to transform the data source. |
text
| Property | Value | Description |
|---|---|---|
| recordStartTimestampFormat (required) | 'ISO 8601' 'M/D/YYYY HH:MM:SS AM/PM' 'MMM d hh:mm:ss' 'Mon DD, YYYY HH:MM:SS' 'YYYY-MM-DD HH:MM:SS' 'dd/MMM/yyyy:HH:mm:ss zzz' 'ddMMyy HH:mm:ss' 'yyMMdd HH:mm:ss' 'yyyy-MM-ddTHH:mm:ssK' |
One of the supported timestamp formats |
settings
| Property | Value | Description |
|---|---|---|
| text (required) | text | Text settings |
logFiles
| Property | Value | Description |
|---|---|---|
| filePatterns (required) | string[] | File Patterns where the log files are located |
| format (required) | 'json' 'text' |
The data format of the log files |
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| settings (required) | settings | The log files specific settings. |
| streams (required) | string[] | List of streams that this data source will be sent to. A stream indicates what schema will be used for this data source |
| transformKql | string | The KQL query to transform the data source. |
performanceCounters
| Property | Value | Description |
|---|---|---|
| counterSpecifiers (required) | string[] | A list of specifier names of the performance counters you want to collect. Use a wildcard (*) to collect a counter for all instances. To get a list of performance counters on Windows, run the command typeperf. |
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| samplingFrequencyInSeconds (required) | int | The number of seconds between consecutive counter measurements (samples). |
| streams (required) | Array containing any of: 'Microsoft-InsightsMetrics' 'Microsoft-Perf' |
List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to. |
| transformKql | string | The KQL query to transform the data source. |
platformTelemetry
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| streams (required) | string[] | List of platform telemetry streams to collect |
prometheusForwarder
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| streams (required) | Array containing any of: 'Microsoft-PrometheusMetrics' |
List of streams that this data source will be sent to. |
syslog
| Property | Value | Description |
|---|---|---|
| facilityNames | Array containing any of: '*' 'alert' 'audit' 'auth' 'authpriv' 'clock' 'cron' 'daemon' 'ftp' 'kern' 'local0' 'local1' 'local2' 'local3' 'local4' 'local5' 'local6' 'local7' 'lpr' 'mail' 'mark' 'news' 'nopri' 'ntp' 'syslog' 'user' 'uucp' |
The list of facility names. |
| logLevels | Array containing any of: '*' 'Alert' 'Critical' 'Debug' 'Emergency' 'Error' 'Info' 'Notice' 'Warning' |
The log levels to collect. |
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| streams (required) | Array containing any of: 'Microsoft-Syslog' |
List of streams that this data source will be sent to. |
| transformKql | string | The KQL query to transform the data source. |
windowsEventLogs
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| streams (required) | Array containing any of: 'Microsoft-Event' 'Microsoft-WindowsEvent' |
List of streams that this data source will be sent to. |
| transformKql | string | The KQL query to transform the data source. |
| xPathQueries (required) | string[] | A list of Windows Event Log queries in XPATH format. |
windowsFirewallLogs
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule. |
| profileFilter (required) | Array containing any of: 'Domain' 'Private' 'Public' |
Firewall logs profile filter |
| streams (required) | string[] | List of streams that this data source will be sent to. |
dataSources
| Property | Value | Description |
|---|---|---|
| dataImports | dataImports | Specifications of pull based data sources |
| extensions | extensions[] | The list of Azure VM extension data source configurations. |
| iisLogs | iisLogs[] | The list of IIS logs source configurations. |
| logFiles | logFiles[] | The list of Log files source configurations. |
| performanceCounters | performanceCounters[] | The list of performance counter data source configurations. |
| platformTelemetry | platformTelemetry[] | The list of platform telemetry configurations |
| prometheusForwarder | prometheusForwarder[] | The list of Prometheus forwarder data source configurations. |
| syslog | syslog[] | The list of Syslog data source configurations. |
| windowsEventLogs | windowsEventLogs[] | The list of Windows Event Log data source configurations. |
| windowsFirewallLogs | windowsFirewallLogs[] | The list of Windows Firewall logs source configurations. |
azureDataExplorer
| Property | Value | Description |
|---|---|---|
| databaseName (required) | string | The name of the database to which data will be ingested. |
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| resourceId (required) | string | The ARM resource id of the Adx resource. |
azureMonitorMetrics
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
eventHubs
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| eventHubResourceId (required) | string | The resource ID of the event hub. |
eventHubsDirect
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| eventHubResourceId (required) | string | The resource ID of the event hub. |
logAnalytics
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| workspaceResourceId (required) | string | The resource ID of the Log Analytics workspace. |
microsoftFabric
| Property | Value | Description |
|---|---|---|
| artifactId (required) | string | The artifact id of the Microsoft Fabric resource. |
| databaseName (required) | string | The name of the database to which data will be ingested. |
| ingestionUri (required) | string | The ingestion uri of the Microsoft Fabric resource. |
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| tenantId (required) | string | The tenant id of the Microsoft Fabric resource. |
monitoringAccounts
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| accountResourceId (required) | string | The resource ID of the monitoring account. |
storageAccounts
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| storageAccountResourceId (required) | string | The resource ID of the storage account. |
| containerName (required) | string | The container name of the Storage Blob. |
storageBlobsDirect
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| storageAccountResourceId (required) | string | The resource ID of the storage account. |
| containerName (required) | string | The container name of the Storage Blob. |
storageTablesDirect
| Property | Value | Description |
|---|---|---|
| name (required) | string | A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule. |
| storageAccountResourceId (required) | string | The resource ID of the storage account. |
| tableName (required) | string | The name of the Storage Table. |
destinations
| Property | Value | Description |
|---|---|---|
| azureDataExplorer | azureDataExplorer[] | List of Azure Data Explorer destinations. |
| azureMonitorMetrics | azureMonitorMetrics | Azure Monitor Metrics destination. |
| eventHubs | eventHubs[] | List of Event Hubs destinations. |
| eventHubsDirect | eventHubsDirect[] | List of Event Hubs Direct destinations. |
| logAnalytics | logAnalytics[] | List of Log Analytics destinations. |
| microsoftFabric | microsoftFabric[] | List of Microsoft Fabric destinations. |
| monitoringAccounts | monitoringAccounts[] | List of monitoring account destinations. |
| storageAccounts | storageAccounts[] | List of storage accounts destinations. |
| storageBlobsDirect | storageBlobsDirect[] | List of Storage Blob Direct destinations. To be used only for sending data directly to store from the agent. |
| storageTablesDirect | storageTablesDirect[] | List of Storage Table Direct destinations. |
storageBlobs
| Property | Value | Description |
|---|---|---|
| blobUrl (required) | string | Url of the storage blob |
| lookupType (required) | 'Cidr' 'String' |
The type of lookup to perform on the blob |
| name (required) | string | The name of the enrichment data source used as an alias when referencing this data source in data flows |
| resourceId (required) | string | Resource Id of the storage account that hosts the blob |
enrichmentData
| Property | Value | Description |
|---|---|---|
| storageBlobs (required) | storageBlobs[] | All the storage blobs used as enrichment data sources |
references
| Property | Value | Description |
|---|---|---|
| enrichmentData (required) | enrichmentData | All the enrichment data sources referenced in data flows |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
Changelog
4.0.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
4.0.0 (2025-09-24)
⚠ BREAKING CHANGES
- remove deprecated outputs
Bug Fixes
- remove deprecated outputs
3.0.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
3.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
2.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
1.0.1 (2025-01-02)
Bug Fixes
- use new toObject function for UserAssignedIdentities