SOLVED

Create OMS Alert throug ARM template

Copper Contributor

Hi  all

I am trying to create an oms workspace with alerts attached to it through ARM templates. I already created an OMS workspace and for the alert part I followed the following tutorial. After some struggle why my alert won't deploy i saw in the commands of the same tuturial following note.

The "Action" scheme has been changed and additionally the alerts are in the Azure Monitor:) Here is link"

When I tried to read the documentation and get any smarter I just got stuck in a endless loop of reference links:

The link provided in the tutorial said that Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. After some time I found following link. Where I thought I finaly found how the new alert will be explained. But this is for application insights not for log analytics.

TO my question than: Is there someone who can help me out try to find how the new Alert scheme works or try to guide me in the right direction.

PS: the arm template of my first tutorial gave me following error : deploying OMS Alerts through ARM templates give bad gateway

7 Replies
best response confirmed by Bilal_Achahbar (Copper Contributor)
Solution

Hi,

The blog post you reference is old as there are changes in the API. Log Analytics alerts no longer use their own actions rather they reference Action Group. So you first you have to have Action Group to reference. You've found the link for creating Action Group via ARM template. You've also find the template for creating Log Analytics alerts. You still have to create saved search, schedule and action resources. The main difference in the action you have to reference the Action Group. The extending alerts to Azure means that if you had created previously alerts that were using the api referenced in the blog post you've provided will be converted to using Action Group automatically. In short the only differences are the API version is increased and this part of action resources:

 "EmailNotification": {
            "Recipients": [
                "[parameters('EmailRecipients')]"
            ],
            "Subject": "[parameters('DisplayNameOfSearch')]"
        }

cannot be used but instead you have to references action group.

"AzNsNotification": {
        "GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
        "CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]",
        "CustomWebhookPayload": "[variables('MyAlert').AzNsNotification.CustomWebhookPayload]"
        }

CustomEmailSubject and CustomWebhookPayload are not mandatory parameters and if they are not used you can skip them. You can also see GroupIds is actually array so you can reference multiple resource groups if needed. Look at the full sample to help you understand better:

https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solutions-resources-searches-alerts#sa...

 

What I don't understand , is how my alerts that I create being connected to the virtual machine.
If i create an alert under : workspaces\savedsearch\shedule\actions   the alerts in the portal are shown under the workspace resource and not under the virtual machine.

These are Log Analytics alerts. They are general in nature and are not linked to any Azure resource. Log Analytics can store data from Azure and non-Azure resources. The main part of the alert is the query and the query can be scoped for example to specific group of computers or to apply to all computers that report data to Log Analytics.

I am sorry for the bad explanation. 

What i mean is that in my query i can use "Heartbeat"  and get results. But i can ask for performance logs. So therefore i asked if i need some extra resource so that every log of the virtual machine will be pushed to the log analytics. So that i can run the "Perf" query on my log analytics.

Hi,

To have performance data from servers appearing in Log Analytics and being able to alert on it with Log Analytics queries you will need to add the desired performance counters. This is explained here:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-performance-counters

Thank you Stan! it works like a charm. But i have a doubt. what is the solution here and why it is mandatory.

 

"SolutionName": "MySolution",
"SolutionVersion": "1.0",
"SolutionPublisher": "Contoso",
"ProductName": "SampleSolution",

 

in real time should we change the above fields. Sorry, i mean we have to use the same publisher/product names?

The solution is example in case you want to wrap more than alert into a solution. It is a matter of preference. I avoid using wrapping Azure Monitor resources into solution these days. So it is ok to remove that part of the code.

1 best response

Accepted Solutions
best response confirmed by Bilal_Achahbar (Copper Contributor)
Solution

Hi,

The blog post you reference is old as there are changes in the API. Log Analytics alerts no longer use their own actions rather they reference Action Group. So you first you have to have Action Group to reference. You've found the link for creating Action Group via ARM template. You've also find the template for creating Log Analytics alerts. You still have to create saved search, schedule and action resources. The main difference in the action you have to reference the Action Group. The extending alerts to Azure means that if you had created previously alerts that were using the api referenced in the blog post you've provided will be converted to using Action Group automatically. In short the only differences are the API version is increased and this part of action resources:

 "EmailNotification": {
            "Recipients": [
                "[parameters('EmailRecipients')]"
            ],
            "Subject": "[parameters('DisplayNameOfSearch')]"
        }

cannot be used but instead you have to references action group.

"AzNsNotification": {
        "GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
        "CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]",
        "CustomWebhookPayload": "[variables('MyAlert').AzNsNotification.CustomWebhookPayload]"
        }

CustomEmailSubject and CustomWebhookPayload are not mandatory parameters and if they are not used you can skip them. You can also see GroupIds is actually array so you can reference multiple resource groups if needed. Look at the full sample to help you understand better:

https://docs.microsoft.com/en-us/azure/azure-monitor/insights/solutions-resources-searches-alerts#sa...

 

View solution in original post