The collection rules has 3 parts:
1) A data source reading the log (In example its picking up every single line from it, matching wildcard “*” – but you can use this to filter what in each of your logs is ‘interesting’/worth collecting).
<DataSource ID="LogDS" TypeID="AppLog!System.ApplicationLog.GenericLog.FilteredEventProvider">
<LogFileDirectory>c:\Logs\</LogFileDirectory>
<LogFilePattern>Test*.log</LogFilePattern>
<LogIsUTF8>false</LogIsUTF8>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>MatchesWildcard</Operator>
<Pattern>*</Pattern>
</RegExExpression>
</Expression>
</DataSource>
2) A condition detection used to MAP fields to the ‘event’ shape that OpInsights Log Management expects,
<ConditionDetection ID="Mapper" TypeID="SystemLibrary7585010!System.Event.GenericDataMapper">
<EventOriginId>$Target/Id$</EventOriginId>
<PublisherId>$MPElement$</PublisherId>
<PublisherName>GenericLog</PublisherName>
<Channel>$Data/EventData/DataItem/LogFileName$</Channel>
<LoggingComputer>$Target/Property[Type='MicrosoftWindowsLibrary7585010! Microsoft.Windows.Computer']/PrincipalName$</LoggingComputer>
<EventNumber>0</EventNumber>
<EventCategory>3</EventCategory>
<EventLevel>0</EventLevel>
<UserName></UserName>
<Description>$Data/EventData/DataItem/Params/Param[1]$</Description>
<Params />
</ConditionDetection>
3)A write action to send this data to the cloud:
<WriteAction ID="HttpWA" TypeID="IPTypes!Microsoft.SystemCenter.CollectCloudGenericEvent" />
Complete Rule Code:
<Rule ID="MomUIGeneratedRuledc3f1e40e7d54c5a82e408523d686031" Enabled="true" Target="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="LogDS" TypeID="AppLog!System.ApplicationLog.GenericLog.FilteredEventProvider">
<LogFileDirectory>c:\Logs\</LogFileDirectory>
<LogFilePattern>Test*.log</LogFilePattern>
<LogIsUTF8>false</LogIsUTF8>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>MatchesWildcard</Operator>
<Pattern>*</Pattern>
</RegExExpression>
</Expression>
</DataSource>
</DataSources>
<ConditionDetection ID="Mapper" TypeID="SystemLibrary7585010!System.Event.GenericDataMapper">
<EventOriginId>$Target/Id$</EventOriginId>
<PublisherId>$MPElement$</PublisherId>
<PublisherName>GenericLog</PublisherName>
<Channel>$Data/EventData/DataItem/LogFileName$</Channel>
<LoggingComputer>$Target/Property[Type='MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer']/PrincipalName$</LoggingComputer>
<EventNumber>0</EventNumber>
<EventCategory>3</EventCategory>
<EventLevel>0</EventLevel>
<UserName></UserName>
<Description>$Data/EventData/DataItem/Params/Param[1]$</Description>
<Params />
</ConditionDetection>
<WriteActions>
<WriteAction ID="HttpWA" TypeID="IPTypes!Microsoft.SystemCenter.CollectCloudGenericEvent" />
</WriteActions>
</Rule>