Obs/bin/ObsAgent/lib/Scripts/DiagnosticLogRoleConfiguration.json

{
  "DeploymentLogs": {
    "Nodes": [ "PhysicalMachines", "AllVms" ],
    "FileLog": [
      "$env:SystemDrive\\CloudDeployment\\Logs\\"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "BareMetal": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:windir\\logs\\DISM\\DISM.log",
      "$env:windir\\Logs\\CBS\\"
    ],
    "CSVLog": [],
    "WindowsEventLog": [
      "Setup",
      "System",
      "Application",
      "*Microsoft-Windows-DSC*",
      "Microsoft-Windows-Health/Diagnostic",
      "Microsoft-Windows-Kernel-Boot/Operational",
      "Microsoft-Windows-CodeIntegrity/Operational",
      "Microsoft-Windows-PowerShell/Operational",
      "Microsoft-Windows-BitLocker/BitLocker Management",
      "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
      "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
      "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Verbose",
      "Microsoft-Windows-SMBServer/Audit",
      "Microsoft-Windows-SmbClient/Security",
      "Microsoft-Windows-SmbClient/Audit",
      "Microsoft-Windows-FailoverClustering/Diagnostic",
      "Microsoft-Windows-FailoverClustering-NetFt/Verbose"
    ]
  },
  "ECE": {
    "Nodes": [ "PhysicalMachines", "AllVms" ],
    "FileLog": [
      "$env:SystemDrive\\maslogs\\",
      "$env:LocalRootFolderPath\\maslogs\\",
      "$env:SystemDrive\\Observability\\maslogs\\",
      "$env:SystemDrive\\Observability\\ECE",
      "$env:SystemDrive\\Observability\\ECEAgent"
    ],
    "CSVLog": [],
    "WindowsEventLog": [
      "Microsoft-Windows-WMI-Activity/Operational",
      "Microsoft-Windows-WinRM/Operational"
    ]
  },
  "ALM": {
    "Nodes": [ "PhysicalMachines", "AllVms" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\ALM\\*.etl*",
      "$env:SystemDrive\\Observability\\ALMSystemAgents\\",
      "$env:SystemDrive\\Observability\\TraceCollectorAgent\\*.etl*",
      "$env:SystemDrive\\maslogs\\AgentTrace\\*.etl",
      "$env:LocalRootFolderPath\\maslogs\\AgentTrace\\*.etl"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "MOC_ARB": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\MOC_ARB\\"
    ],
    "CSVLog": [
        "$env:SystemDrive\\ClusterStorage\\Infrastructure_1\\ArcHci\\ubercrud.log"
    ],
    "WindowsEventLog": [
        "Microsoft-Windows-Hyper-V-Config-Admin.evtx",
        "Microsoft-Windows-Hyper-V-Config-Operational.evtx",
        "Microsoft-Windows-Hyper-V-Shared-VHDX/Reservation.evtx"
    ]
  },
  "FleetDiagnosticsAgent": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\FleetDiagnosticsAgent\\*.etl*"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "ObservabilityAgent": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\ObservabilityAgent\\*.etl*"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "ObservabilityLogmanTraces": {
      "Nodes": ["PhysicalMachines"],
      "FileLog": [
          "$env:SystemDrive\\Observability\\ObservabilityLogmanTraces\\observabilityLogmanTraces.etl*"
      ],
      "ShareLog": [],
      "WindowsEventLog": []
  },
  "RemoteSupportAgent": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\RemoteSupportAgent\\*.etl*"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "OSUpdateLogs": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:windir\\logs\\mosetup\\updateagent.log",
      "$env:SystemDrive\\`$WINDOWS.~BT\\Sources\\Panther\\setupact.log",
      "$env:windir\\logs\\windowsupdate\\*.etl*",
      "$env:windir\\Logs\\CBS\\"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "AutonomousLogs": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\AutonomousLogs\\"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "OEMDiagnostics": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\OEMDiagnostics\\*.etl*"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "ObservabilityVolume": {
    "Nodes": [ "PhysicalMachines", "AllVms" ],
    "FileLog": [],
    "CSVLog": [],
    "WindowsEventLog": [
      "Microsoft-AzureStack-Observability/Operational"
    ]
  },
  "HostNetwork": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\HostNetwork\\NetworkAtcTracing\\NetworkAtcTrace_*.etl*",
      "$env:LocalRootFolderPath\\NetworkAtcTracing\\NetworkAtcTrace_*.etl*"
    ],
    "WindowsEventLog": [
      "Microsoft-Windows-Networking-NetworkAtc/Admin",
      "Microsoft-Windows-Networking-NetworkAtc/Operational"
    ]
  },
  "Health": {
    "Nodes": [ "PhysicalMachines", "AllVms" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\HealthAndMonitoring\\Diagnostics\\HealthAgent\\*Health.HealthAgent*.etl*",
      "$env:SystemDrive\\Observability\\HealthAndMonitoring\\Diagnostics\\HealthAgent\\CommonInfra\\*Health.HealthAgent.CommonInfra*.etl*",
      "$env:SystemDrive\\Observability\\HealthAndMonitoring\\Diagnostics\\HealthService\\*Health.HealthService*.etl*"
    ]
  },
  "HCICloudService": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:systemdrive\\Users\\HciDeploymentUser\\Documents\\Register*.log",
      "$env:systemdrive\\Users\\HciDeploymentUser\\Documents\\Unregister*.log",
      "$env:systemdrive\\ProgramData\\AzureConnectedMachineAgent\\Log\\*.log",
      "$env:windir\\Windows\\Tasks\\ArcForServers\\*.log"
    ],
    "CSVLog": [],
    "WindowsEventLog": [
      "Microsoft-AzureStack-HCI/Admin",
      "Microsoft-AzureStack-HCI/Debug",
      "Microsoft-AzureStack-HCI-ClusterAgent/Admin",
      "Microsoft-AzureStack-HCI-ClusterAgent/Debug"
    ]
  },
  "DownloadService": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\Download\\Standalone\\*Microsoft.AzureStack.Download.DownloadStandalone*.etl*",
      "$env:SystemDrive\\Observability\\Download\\Service\\*Microsoft.AzureStack.Download.DownloadService*.etl*",
      "$env:SystemDrive\\Observability\\Download\\CauDebugTraces\\*.zip",
      "$env:SystemDrive\\Observability\\URP\\UdiSessions\\"
    ],
    "CSVLog": [
      "$env:SystemDrive\\ClusterStorage\\Infrastructure_1\\Shares\\SU1_Infrastructure_1\\Updates\\GetCauOutput\\"
    ],
    "WindowsEventLog": []
  },
  "URP": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\URP\\*AzureStack.Update.Admin*.etl*"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "ArcAgent": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\ProgramData\\AzureConnectedMachineAgent\\Log"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "Extension": {
    "Nodes": [ "PhysicalMachines" ],
    "FileLog": [
      "$env:SystemDrive\\ProgramData\\GuestConfig\\ext_mgr_logs",
      "$env:SystemDrive\\ProgramData\\GuestConfig\\arc_policy_logs",
      "$env:SystemDrive\\ProgramData\\GuestConfig\\extension_logs",
      "$env:SystemDrive\\ProgramData\\GuestConfig\\extension_reports"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  },
  "CommonInfra": {
    "Nodes": [ "PhysicalMachines", "AllVms" ],
    "FileLog": [
      "$env:SystemDrive\\Observability\\CommonInfra\\Service\\*AzureStack.Common.Infrastructure*.etl*",
      "$env:SystemDrive\\Observability\\CommonInfra\\Middleware\\*AzureStack.Common.Infrastructure.Middleware*.etl*"
    ],
    "CSVLog": [],
    "WindowsEventLog": []
  }
}