Docs
connector.conf
Configuration stanzas for Azure metrics, KQL, resources, audit, storage, and Event Hub.
CONNECTOR.CONF
Specifications
Specifications
[azure-metrics://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
frequency = <seconds> Interval to run the input
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
source = <source-name>
sourcetype = dataelicit/azure:azure-metrics
subscription_ids = Comma-sepearted list of Subscription IDs to use for fetching metrics
namespaces = Comma-separated list of metric namespaces to query.
Refer to section 'Supported metrics with Azure Monitor' in microsoft document for list of available metrics namespaces.
Example: Microsoft.Compute/virtualMachines
metric_statistics = average,minimum,maximum,total,count
Select statistics as per choice
time_aggregation = 1min | 5min | 15min | 30min | 1h | 6h | 12h | 1d
If the preferred time period is not available for a specific metric in the namespace, the next available preferred time will be used.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[azure-kql-log-analytics://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
frequency = <seconds> Interval to run the input
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
source = <source-name>
sourcetype = dataelicit/azure:azure-kql
workspace_id = Azure Log Analytics Workspace ID
kql_query = "KQL Query to execute"
include_stats = 0/1 If 1 the input will index statistics about the KQL query
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[azure-resource://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
frequency = <seconds> Interval to run the input
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
source = <source-name>
sourcetype = dataelicit/azure:azure-resources
subscription_id = Subscription ID to use for fetching resources
resource_type = VirtualMachine | NetworkInterfaceCard | PublicIPAddress | SecurityGroups
VirtualNetwork | DiskData | SnapshotData | ImageData
resource_groups = Comma separated list of resource groups (optional)
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[azure-audit://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
frequency = <seconds> Interval to run the input
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
source = <source-name>
sourcetype = dataelicit/azure:azure-audit
subscription_id = Subscription ID to use for fetching audit logs
startDate = Collects data later than this time.
The default start time is 30 days ago. Format: %Y-%m-%dT%H:%M:%S.%fZ
debug = true (optional) To include debug logs too.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[azure-storage-blob://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
frequency = <seconds> Interval to run the input
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
source = <source-name>, Default is storage blob name
sourcetype = dataelicit/azure:azure-storage-blob
container_name = <storage-container-name>
prefix = Collects the data from the blobs whose names begin with specified prefix. (optional)
blob_list = Comma seperated list of blob names to include (optional)
excluded_blobs = Comma seperated list of blobs to exclude (optional)
decoding = Specify the character set of the blobs. e.g UTF-8, UTF-32, etc. Default is utf-8
blob_mode = append
Select Append Mode to retrieve only the incremental changes
Default is Read Mode to retrieve the entire blob again on an update
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[azure-storage-table://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
frequency = <seconds> Interval to run the input
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
source = <source-name>, Default is storage table name
sourcetype = dataelicit/azure:azure-storage-table
prefix = Collects the data from the tables whose names begin with specified prefix. (optional)
table_list = Comma seperated list of table names to fetch data
start_time = Collects data later than this time.
The default start time is 30 days ago. Format: %Y-%m-%dT%H:%M:%S.%fZ
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[azure-eventhub://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
frequency = <seconds> Interval to run the input
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
source = <source-name>, Default is storage table name
sourcetype = dataelicit/azure:azure-eventhub
consumer_group = Name of Consumer Group, By default: $Default if not specified
max_batch_size = <batch-size> By default: 300, if not specified
max_wait_time = <wait-time-in-seconds> By default: 10, if not specified
eventhub_name = Name of Eventhub
enable_blob_checkpoint = <true/false> By default false, specify this key with true to enable checkpointing. Need to specify blog storage parameters.
blob_container_name = Name of Blob Storage, specify if enable_blob_checkpoint = true
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1Example
Example connector.conf stanzas for Azure metrics, KQL, resources, audit logs, storage, and Event Hub using common global and secret stanzas.
[azure-metrics://metrics] source = Azure sourcetype = dataelicit/azure:azure-metrics cron = 0 0 1 * * subscription_ids = 2caaxxxx-52b7-43e1-afc2-ab2xxxxxx namespaces = Microsoft.Compute/virtualMachines,Microsoft.Network/publicIPAddresses metric_statistics = average,minimum,maximum,total,count time_aggregation = 1h secret = azurecreds global = azure [azure-kql-log-analytics://kql-data] source = Azure sourcetype = dataelicit/azure:azure-kql frequency = 300 workspace_id = ecf142e3-xxxx-4050-9c3b-xxxxxxx kql_query = "InsightsMetrics | top 10 by TimeGenerated" include_stats = 1 secret = azurecreds global = azure [azure-resource://resources] source = Azure sourcetype = dataelicit/azure:azure-resource cron = 0 0 1 * * subscription_id = 2caaxxxx-52b7-43e1-afc2-ab2xxxxxx resource_type = VirtualMachine secret = azurecreds global = azure [azure-audit://auditlogs] source = Azure sourcetype = dataelicit/azure:azure-audit frequency = 300 subscription_id = 2caaxxxx-52b7-43e1-afc2-ab2xxxxxx secret = azurecreds global = azure [azure-storage-blob://blob-data] sourcetype = dataelicit/azure:azure-storage-blob frequency = 300 container_name = test excluded_blobs = abcd.vhd blob_mode = append secret = storagecreds global = azure [azure-storage-table://table-data] sourcetype = dataelicit/azure:azure-storage-table cron = 0 0 1 * * table_list = "test" secret = storagecreds global = azure [azure-eventhub://eventhub] frequency = 300 sourcetype = dataelicit/azure:azure-eventhub global = azure secret = eventhubcreds eventhub_name = eventhub-ingest enable_blob_checkpoint = true blob_container_name = eventhubcheckpoint
Note
For each stanza use either cron or frequency. If both are configured, cron takes priority for scheduling.