Listen to this Post
Introduction:
Data Collection Rules (DCRs) for Azure platform logs introduce a centralized, policy-driven method for gathering telemetry from thousands of resources using a single rule. This preview feature provides a streamlined alternative to traditional diagnostic settings, enabling security and IT teams to enforce governance at scale, cut ingestion costs through pre-ingestion filtering, and leverage modern identity and security protocols by default.
Learning Objectives:
- Understand the differences between legacy Diagnostic Settings and DCRs, including the benefits of managed identity and reduced latency.
- Learn how to create and associate a DCR using the Azure portal, CLI, and ARM/Bicep to centrally collect platform logs.
- Implement KQL transformations within DCRs to filter noise, reduce costs, and enhance security posture.
- Govern data collection at scale using DCR policies, RBAC, and customer-managed keys for encryption.
You Should Know:
- Why DCRs Replace Diagnostic Settings for Platform Logs
Before this feature, Azure platform logs could only be exported using diagnostic settings. DCRs for platform telemetry provide significant advantages over this older method. First, they are more flexible and scalable: you can use a single DCR with multiple resources, whereas a separate diagnostic setting is required for each resource. Second, DCRs enable consistent ARM, Bicep, and Terraform deployment patterns across all resource types. Third, DCRs use managed identity for keyless authentication to storage accounts and Event Hubs, eliminating the need to manage and rotate connection strings or keys. Finally, DCRs typically reduce end-to-end latency to about three minutes, compared to six to ten minutes with diagnostic settings.
Step-by-step guide comparing DCRs to diagnostic settings:
- Step 1: Identify your resource types. Use the platform logs reference guide to confirm which resource types support DCR export.
- Step 2: Choose your destination. A platform telemetry DCR supports one destination type per rule (Log Analytics workspace, storage account, or Event Hubs). To send to multiple destinations, create separate DCRs.
- Step 3: Verify region alignment. For storage and Event Hubs destinations, the DCR, destination, and monitored resources must all be in the same region. For Log Analytics, the DCR and workspace must be in the same region, but monitored resources can be anywhere.
- Step 4: Assign a managed identity. For storage or Event Hubs destinations, the DCR requires a system-assigned or user-assigned managed identity. Grant the identity the `Storage Blob Data Contributor` role for storage accounts or `Azure Event Hubs Data Sender` for Event Hubs.
- Creating Your First Platform Telemetry DCR (Azure Portal, CLI, and ARM)
You can create a DCR using the Azure portal, Azure CLI (version 2.61 or later), Azure PowerShell (Az.Monitor 5.2 or later), or REST API.
Step-by-step guide for the Azure portal:
- Step 1: Navigate to Monitor in the Azure portal, select Data Collection Rules, and click Create.
- Step 2: On the Basics tab, provide a rule name, subscription, resource group, and region.
- Step 3: On the Resources tab, add the Azure resources you want to monitor (e.g., Container Registries, Container Apps, MySQL servers).
- Step 4: On the Collect and deliver tab, select the log categories to collect. You can use `Logs-Group-All` to collect all categories for a resource type, or specify individual categories (e.g.,
microsoft.dbformysql/flexibleservers:Logs-MySqlAuditLogs). - Step 5: Choose your destination (Log Analytics workspace, storage account, or Event Hubs) and provide the necessary details.
- Step 6: Review and create the DCR. It may take up to 30 minutes for logs to appear after the initial setup.
Azure CLI commands:
Create a DCR that sends platform logs to a Log Analytics workspace
az monitor data-collection rule create --1ame "myPlatformDCR" --resource-group "myResourceGroup" --location "eastus" --data-flows '[{"streams": ["Microsoft-ResourceLogs"], "destinations": ["logAnalytics"]}]' --log-analytics-destinations '[{"workspaceResourceId": "/subscriptions/{subscription-id}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace-1ame}", "name": "logAnalytics"}]'
3. Reducing Ingestion Costs with KQL Transformations
One of the most powerful features of DCRs is the ability to apply Kusto Query Language (KQL) transformations to filter or modify incoming data before it is stored. This allows you to discard noisy, low-value data at the source, significantly reducing Log Analytics ingestion costs. Transformations can also remove sensitive data that should not be persisted and format data to match the destination schema.
Step-by-step guide to creating a transformation:
- Step 1: Create and test your KQL query in Log Analytics. Start with the `source` table, which represents your incoming data stream.
- Step 2: Use KQL operators such as `where` to filter rows, `extend` to create new columns, and `project` to select specific columns.
- Step 3: Ensure your query output matches the schema of the destination table and includes a `TimeGenerated` column of type
datetime. - Step 4: Add the transformation to your DCR. In the Azure portal, edit the DCR and add a transformation query in the “Transform” tab. You can also include the transformation in the DCR JSON definition under the `transformKql` property.
- Step 5: Monitor transformation performance using metrics like `Logs Transformation Duration per Min` and
Logs Transformation Errors per Min.
Sample KQL transformation to filter only critical syslog events:
source | where SeverityLevel == "Critical" | project TimeGenerated, Computer, ProcessName, Message
4. Security Hardening: Managed Identity, RBAC, and Encryption
DCRs are built with security and governance in mind. For storage account and Event Hubs destinations, the DCR must use a managed identity, which supports keyless authentication and eliminates secrets management. You can then use Azure RBAC to grant the managed identity the minimum required permissions. For example, a DCR sending logs to a storage account needs the `Storage Blob Data Contributor` role. Ensure you have the proper permissions (Microsoft.Compute/virtualMachines/write) to assign system-assigned managed identities. To meet regulatory compliance, use a dedicated Azure Monitor cluster with customer-managed keys (CMK) to enable double encryption at the service and infrastructure levels.
Step-by-step guide for securing DCRs:
- Step 1: Always use managed identities instead of access keys for authentication to destinations.
- Step 2: Grant the managed identity the least-privilege RBAC role required for the destination.
- Step 3: Enable diagnostic settings for your DCR to send error logs to a Log Analytics workspace for auditing.
- Step 4: For high-security environments, deploy DCRs using policy-driven IaC (ARM/Bicep/Terraform) with CI/CD pipelines to prevent configuration drift.
5. Monitoring DCR Health and Performance
Azure Monitor provides detailed metrics and logs to monitor the performance of your DCRs and troubleshoot issues. Key metrics include ingestion volume, processing errors, and transformation performance.
Step-by-step guide to setting up monitoring:
- Step 1: Enable diagnostic settings on each DCR to collect error logs.
- Step 2: Create metric alert rules for critical conditions, such as a sudden change in the number of rows dropped per minute.
- Step 3: Query DCR error logs in Log Analytics. These logs are generated when data reaches the ingestion pipeline but fails to reach its destination (e.g., due to transformation errors, malformed API calls, or throttling).
- Step 4: Use the `_ResourceLogs` table in your Log Analytics workspace to review DCR-specific logs.
- Governance at Scale: DCR Policies and Infrastructure as Code
DCRs are designed for policy-driven governance. You can define a DCR once and apply it across thousands of resources, ensuring consistent data collection and compliance. Integrate new workloads using DCR policies.
Step-by-step guide to IaC deployment:
- Step 1: Define your DCR as an ARM template, Bicep file, or Terraform configuration. This ensures version-controlled, repeatable deployments.
- Step 2: Use Azure Policy to audit or enforce that all resources of a certain type have an associated DCR.
- Step 3: Deploy DCRs across management groups using CI/CD pipelines to maintain consistency across environments.
- Step 4: For advanced scenarios, modify the DCR JSON directly to implement transformations or add custom data sources.
What Undercode Say:
- Key Takeaway 1: DCRs for platform logs are not just an incremental improvement; they represent a paradigm shift in Azure monitoring. The move from per-resource diagnostic settings to a single, policy-driven DCR is a game-changer for large-scale governance, drastically reducing management overhead.
- Key Takeaway 2: The ability to filter data at ingestion using KQL transformations is the ultimate tool for cost control. By dropping verbose, non-actionable logs at the source, organizations can slash their Log Analytics ingestion bills while simultaneously improving security by sanitizing sensitive data before it ever lands in a workspace.
- Analysis: While DCRs offer immense power, they introduce architectural complexity. A poorly planned rollout can lead to “DCR sprawl,” where hundreds of rules become unmanageable. The key is to invest heavily in governance upfront—using IaC, Azure Policy, and clear naming conventions—to prevent this. Furthermore, real-world testing has shown that while the API portal prevents deletion of DCRs with active associations, the underlying API can delete linked rules, creating potential SOC blind spots. Organizations must therefore not only adopt DCRs but also implement robust monitoring and access controls specifically for DCR management.
Prediction:
- -1: While DCRs provide superior filtering, their complexity will lead to a sharp increase in misconfigurations, causing critical log data to be dropped accidentally and creating security detection gaps, forcing a new market for DCR auditing tools.
- +1: The combination of DCRs with Azure Policy will become the gold standard for compliance-driven log management, enabling organizations to enforce security data collection requirements across tens of thousands of resources with near-zero manual intervention.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Markolauren Data – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
