From 6f267537f99d854d2c441dc90542c8a7dbe05d6a Mon Sep 17 00:00:00 2001 From: TimSBenjamin Date: Tue, 15 May 2018 10:24:14 -0500 Subject: [PATCH 1/2] Licenisng update April 2nd a new pricing model is available for all customers. New subscriptions use this by default --- oms-all-deploy/nestedtemplates/omsWorkspace.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/oms-all-deploy/nestedtemplates/omsWorkspace.json b/oms-all-deploy/nestedtemplates/omsWorkspace.json index 473034b9ec48..fe32e8320bde 100644 --- a/oms-all-deploy/nestedtemplates/omsWorkspace.json +++ b/oms-all-deploy/nestedtemplates/omsWorkspace.json @@ -69,9 +69,13 @@ "comments": "Log Analytics workspace", "properties": { "sku": { - "name": "pernode" + "name": "pergb2018" }, - "retentionInDays": 120 + "retentionInDays": 180 + }, + "workspacecaping": { + "dailyQuotaGb": -1, + "dataIngestionStatus": "RespectQuota" }, "resources": [ { @@ -111,8 +115,8 @@ "properties": { "ETag": "*", "category": "HyperV", - "displayName": "VMs created last 24 hours", - "query": "EventLog=\"Microsoft-Windows-Hyper-V-VMMS-Admin\" EventLevelName=information EventID=13002 TimeGenerated>NOW-1DAY " + "displayName": "HyperV VMs created last 24 hours", + "query": "Event | where EventLog == \"Microsoft-Windows-Hyper-V-VMMS-Admin\" and EventID == 13003 and EventLevelName =~ \"information\" and TimeGenerated > ago(1d)" } }, { From c356c8b53e066136a3d8590f9bf5a7a7cf7d5e6a Mon Sep 17 00:00:00 2001 From: TimSBenjamin Date: Tue, 15 May 2018 14:20:41 -0500 Subject: [PATCH 2/2] Searches updated to KQL Severl other search bugs and typos fixed as well. --- .../nestedtemplates/omsWorkspace.json | 61 +++++++------------ 1 file changed, 21 insertions(+), 40 deletions(-) diff --git a/oms-all-deploy/nestedtemplates/omsWorkspace.json b/oms-all-deploy/nestedtemplates/omsWorkspace.json index fe32e8320bde..892bf6e991de 100644 --- a/oms-all-deploy/nestedtemplates/omsWorkspace.json +++ b/oms-all-deploy/nestedtemplates/omsWorkspace.json @@ -72,11 +72,7 @@ "name": "pergb2018" }, "retentionInDays": 180 - }, - "workspacecaping": { - "dailyQuotaGb": -1, - "dataIngestionStatus": "RespectQuota" - }, + }, "resources": [ { "name": "AzureActivityLog", @@ -90,21 +86,6 @@ "linkedResourceId": "[concat(subscription().id, '/providers/Microsoft.Insights/eventTypes/management')]" } }, - { - "name": "[concat(parameters('omsWorkspaceName'), '/', 'SoftwareUpdateFailed1')]", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2017-03-15-preview", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspaceName'))]" - ], - "tags": {}, - "properties": { - "ETag": "*", - "query": "Event | where EventID == 20 and Source == \"Microsoft-Windows-WindowsUpdateClient\" and EventLog == \"System\" and TimeGenerated > ago(1d)", - "displayName": "Failed Software Updates in the last day", - "category": "Software Updates" - } - }, { "apiVersion": "2017-03-15-preview", "name": "[concat(parameters('omsWorkspaceName'), '/', 'HyperV1')]", @@ -115,7 +96,7 @@ "properties": { "ETag": "*", "category": "HyperV", - "displayName": "HyperV VMs created last 24 hours", + "displayName": "VMs created last 24 hours", "query": "Event | where EventLog == \"Microsoft-Windows-Hyper-V-VMMS-Admin\" and EventID == 13003 and EventLevelName =~ \"information\" and TimeGenerated > ago(1d)" } }, @@ -130,7 +111,7 @@ "ETag": "*", "category": "HyperV", "displayName": "VMs deleted last 24 hours", - "Query": "EventLog=\"Microsoft-Windows-Hyper-V-VMMS-Admin\" EventLevelName=information EventID=13003 TimeGenerated>NOW-1DAY" + "Query": "Event | where EventLog == \"Microsoft-Windows-Hyper-V-VMMS-Admin\" and EventID == 13003 and EventLevelName =~ \"information\" and TimeGenerated > ago(1d)" } }, { @@ -143,12 +124,12 @@ "properties": { "ETag": "*", "category": "HyperV", - "displayName": "Replication throughput per VM", - "query": "Type:Perf ObjectName=\"Hyper-V Azure Replication Agent\" CounterName=\"Replication Throughput\" TimeGenerated>NOW-8HOURS | measure avg(CounterValue) by InstanceName interval 15minutes" + "displayName": "Replication throughput per VM over last 24 hours", + "query": "Perf | where ObjectName == \"Hyper-V Azure Replication Agent\" and CounterName == \"Replication Throughput\" and TimeGenerated > ago(1d) | summarize AggregatedValue = avg(CounterValue) by InstanceName, bin(TimeGenerated, 15m)" } }, { - "name": "[concat(parameters('omsWorkspaceName'), '/', 'SoftwareUpdateFailed2')]", + "name": "[concat(parameters('omsWorkspaceName'), '/', 'SoftwareUpdateFailed1')]", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "apiVersion": "2017-03-15-preview", "dependsOn": [ @@ -157,9 +138,9 @@ "tags": {}, "properties": { "ETag": "*", - "query": "Type=Event EventID=20 Source=\"Microsoft-Windows-WindowsUpdateClient\" EventLog=\"System\" TimeGenerated>NOW-168HOURS", - "displayName": "A Software Update Installation Failed", - "category": "Software Updates" + "category": "Software Updates", + "displayName": "Failed Software Updates in the last week", + "query": "Event | where EventID == 20 and Source == \"Microsoft-Windows-WindowsUpdateClient\" and EventLog == \"System\" and TimeGenerated > ago(7d)" } }, { @@ -172,9 +153,9 @@ "tags": {}, "properties": { "ETag": "*", - "query": "Type=Event EventID=4202 Source=\"TCPIP\" EventLog=\"System\" TimeGenerated>NOW-24HOURS | Measure Count() By Computer", - "displayName": "A Network adatper was disconnected from the network", - "category": "Networking" + "category": "Networking", + "displayName": "NICs disconnected from the network in last 24 hours", + "query": "Event | where EventLog == \"System\" and Source == \"TCPIP\" and EventID == 4202 and TimeGenerated > ago(24h) | summarize AggregatedValue = count() by Computer" } }, { @@ -187,9 +168,9 @@ "tags": {}, "properties": { "ETag": "*", - "query": "Event | where (EventID == 4198 or EventID == 4199) and Source == \"TCPIP\" and EventLog == \"System\" and TimeGenerated > ago(24h)", - "displayName": "Duplicate IP address has been detected", - "category": "Networking" + "category": "Networking", + "displayName": "Duplicate IP addresses detected in the last 24 hours", + "query": "Event | where (EventID == 4198 or EventID == 4199) and Source == \"TCPIP\" and EventLog == \"System\" and TimeGenerated > ago(24h)" } }, { @@ -202,9 +183,9 @@ "tags": {}, "properties": { "ETag": "*", - "query": "Type=Event EventID=98 Source=\"Microsoft-Windows-Ntfs\" EventLog=\"System\" TimeGenerated>NOW-24HOURS | Measure Count() By Computer", - "displayName": "NTFS File System Corruption", - "category": "NTFS" + "category": "NTFS", + "displayName": "NTFS File System Corruption in the last 24 hours", + "query": "Event | where EventLog == \"System\" and EventID == 98 and Source =~ \"Microsoft-Windows-Ntfs\" and TimeGenerated > ago(1d) | summarize AggregatedValue = count() by Computer" } }, { @@ -217,9 +198,9 @@ "tags": {}, "properties": { "ETag": "*", - "query": "Type=Event EventID=40 OR EventID=36� Source=\"DISK\" EventLog=\"System\" TimeGenerated>NOW-24HOURS | Measure Count() By Compute", - "displayName": "NTFS Quouta treshold limit reached", - "category": "NTFS" + "category": "NTFS", + "displayName": "NTFS User Disk Quota Reached", + "query": "Event | where EventLog == \"System\" and (EventID == 40 or EventID == 36) and Source =~ \"Disk\" and TimeGenerated > ago(24h) | summarize AggregatedValue = count() by Computer" } }, {