Since we are ingesting custom log data via an API, we need to create custom tables with columns that can distinguish the log type and identify which Data Collection Rule (DCR) was used to ingest the logs.
Here are the steps to create custom table:
Go to Log Analytics Workspaces.
Choose your workspace.
Go to Settings > Click Create > New Custom Log (DCR – based)
Table Name: specify table name
Data Collection Rule: fill in the data collection rule name which you have created.
DCR Endpoint: This will be auto filled as the endpoint is already bonded to DCR.
Select Schema and transformation: upload Json file of table schema.
example:
{
"TimeGenerated":"2024-07-22T11:47:51Z",
"source_type":"source type",
"source_dcr":"dcr-immutable id",
"event": {}
}
List of tables:
S. No. | Log Type | Table |
service_log | ServiceLog | |
internal_notifications_log | InternalNotificationsLog | |
audit_log | AuditLog | |
ddi_dhcp_lease_log | DdiDhcpLeaseLog | |
ddi_dns_log | DdiDnsLog | |
td_dns_log | TdDnsLog | |
td_rpz_log | TdRpzLog | |
rpz_log | RpzLog | |
dns_log | DnsLog |
Review and submit. Wait for at least 30 minutes to reflect on the changes.
Once the setup is complete, you will have the following credentials:
Client ID and Client Secret from the application registration.
Tenant ID from your Azure Active Directory.
DCR Immutable ID from the Data Collection Rule (DCR) creation
DCR End Point from DCR endpoints.
You can use the above details to configure credentials in the Infoblox Portal.
Note: For QA testing, we recommend using existing analytics workspaces instead of creating new ones to manage costs, A workspace can support 200 Data collection rules.