Forum Discussion

Bilal_Achahbar's avatar
Bilal_Achahbar
Copper Contributor
Dec 03, 2018

Create OMS Alert throug ARM template

Hi  all

I am trying to create an oms workspace with alerts attached to it through ARM templates. I already created an OMS workspace and for the alert part I followed the following tutorial. After some struggle why my alert won't deploy i saw in the commands of the same tuturial following note.

The "Action" scheme has been changed and additionally the alerts are in the Azure Monitor:) Here is link"

When I tried to read the documentation and get any smarter I just got stuck in a endless loop of reference links:

The link provided in the tutorial said that Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. After some time I found following link. Where I thought I finaly found how the new alert will be explained. But this is for application insights not for log analytics.

TO my question than: Is there someone who can help me out try to find how the new Alert scheme works or try to guide me in the right direction.

PS: the arm template of my first tutorial gave me following error : deploying OMS Alerts through ARM templates give bad gateway

  • Hi,

    The blog post you reference is old as there are changes in the API. Log Analytics alerts no longer use their own actions rather they reference Action Group. So you first you have to have Action Group to reference. You've found the link for creating Action Group via ARM template. You've also find the template for creating Log Analytics alerts. You still have to create saved search, schedule and action resources. The main difference in the action you have to reference the Action Group. The extending alerts to Azure means that if you had created previously alerts that were using the api referenced in the blog post you've provided will be converted to using Action Group automatically. In short the only differences are the API version is increased and this part of action resources:

     "EmailNotification": {
                "Recipients": [
                    "[parameters('EmailRecipients')]"
                ],
                "Subject": "[parameters('DisplayNameOfSearch')]"
            }

    cannot be used but instead you have to references action group.

    "AzNsNotification": {
            "GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
            "CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]",
            "CustomWebhookPayload": "[variables('MyAlert').AzNsNotification.CustomWebhookPayload]"
            }

    CustomEmailSubject and CustomWebhookPayload are not mandatory parameters and if they are not used you can skip them. You can also see GroupIds is actually array so you can reference multiple resource groups if needed. Look at the full sample to help you understand better:

    https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solutions-resources-searches-alerts#sample

     

  • Hi,

    The blog post you reference is old as there are changes in the API. Log Analytics alerts no longer use their own actions rather they reference Action Group. So you first you have to have Action Group to reference. You've found the link for creating Action Group via ARM template. You've also find the template for creating Log Analytics alerts. You still have to create saved search, schedule and action resources. The main difference in the action you have to reference the Action Group. The extending alerts to Azure means that if you had created previously alerts that were using the api referenced in the blog post you've provided will be converted to using Action Group automatically. In short the only differences are the API version is increased and this part of action resources:

     "EmailNotification": {
                "Recipients": [
                    "[parameters('EmailRecipients')]"
                ],
                "Subject": "[parameters('DisplayNameOfSearch')]"
            }

    cannot be used but instead you have to references action group.

    "AzNsNotification": {
            "GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
            "CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]",
            "CustomWebhookPayload": "[variables('MyAlert').AzNsNotification.CustomWebhookPayload]"
            }

    CustomEmailSubject and CustomWebhookPayload are not mandatory parameters and if they are not used you can skip them. You can also see GroupIds is actually array so you can reference multiple resource groups if needed. Look at the full sample to help you understand better:

    https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solutions-resources-searches-alerts#sample

     

    • Bilal_Achahbar's avatar
      Bilal_Achahbar
      Copper Contributor

      What I don't understand , is how my alerts that I create being connected to the virtual machine.
      If i create an alert under : workspaces\savedsearch\shedule\actions   the alerts in the portal are shown under the workspace resource and not under the virtual machine.

      • These are Log Analytics alerts. They are general in nature and are not linked to any Azure resource. Log Analytics can store data from Azure and non-Azure resources. The main part of the alert is the query and the query can be scoped for example to specific group of computers or to apply to all computers that report data to Log Analytics.

Resources