exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam

Exam AZ-104 topic 6 question 55 discussion

Actual exam question from Microsoft's AZ-104
Question #: 55
Topic #: 6
[All AZ-104 Questions]

You have an Azure subscription. The subscription contains virtual machines that run Windows Server.

You have a data collection rule (DCR) named Rule1.

You plan to use the Azure Monitor Agent to collect events from Windows System event logs.

You only need to collect system events that have an ID of 1001.

Which type of query should you use for the data source in Rule1?

  • A. SQL
  • B. XPath
  • C. KQL
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
SgtDumitru
Highly Voted 1 year ago
Microsoft: We will find that 1 sentence in our entire Doc which mentioned a language which wasn't mentioned in any our courses and we'll 100% ask everybody about it, because...of reasons..
upvoted 35 times
ki01
11 months, 3 weeks ago
i like how entire event filtering system is implemented into log analytics with KQL, so a lot of people get sort of comfortable with that, BUT HERE, in this one place, instead of filtering event ingress like a normal person, you have to use some random unheard of toaster syntax
upvoted 8 times
...
...
[Removed]
Highly Voted 11 months, 3 weeks ago
The correct answer is B. Whilst you can use KQL to filter for events with ID 101, this implies that the Data Collection Rule ingests all events into the Log Analytics Workspace, thus driving up costs. This question specifically asks for the data source configuration as part of creating Rule1. If you are only interested in Event ID 1001 you should filter it from the start, when configuring the Data Collection Rule. To do that, you must use an XPath query. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal#filter-events-using-xpath-queries
upvoted 13 times
...
Josh219
Most Recent 1 week, 6 days ago
Selected Answer: B
XPath: Used for querying Windows event logs. KQL: Used for querying data in Azure Data Explorer and Log Analytics workspaces. Therefore, XPath is the correct choice for your data collection rule (DCR) to collect specific system events from Windows event logs.
upvoted 1 times
...
SeMo0o0o0o
1 month, 3 weeks ago
Selected Answer: B
B is correct XPath is the query language used to filter and collect specific events from Windows Event Logs, which are stored in an XML format. Since you only need to collect system events with an ID of 1001 from the Windows System event logs, you will use an XPath query to specify this condition. Example of an XPath query to collect events with ID 1001: <QueryList> <Query Id="0" Path="System"> <Select Path="System">*[System[(EventID=1001)]]</Select> </Query> </QueryList>
upvoted 3 times
...
0378d43
1 month, 3 weeks ago
Selected Answer: C
KQL is been used to query for the event id.
upvoted 1 times
...
Debugs_Bunny
2 months, 3 weeks ago
How does this help me to become Azure Architect?
upvoted 4 times
...
learnazureportal
5 months, 2 weeks ago
B is correct. Note - SQL is used for querying relational databases and is not applicable for querying Windows Event Logs.
upvoted 1 times
...
Amir1909
8 months, 2 weeks ago
C is correct
upvoted 1 times
...
GoldBear
12 months ago
Selected Answer: B
To consume events, you can consume all events or you can specify an XPath expression that identifies the events that you want to consume. https://learn.microsoft.com/en-us/windows/win32/wes/consuming-events
upvoted 2 times
...
OrangeSG
1 year, 1 month ago
Selected Answer: B
XPath is a query language used to select nodes from an XML document. The Azure Monitor Agent uses XPath queries to filter events from Windows System event logs. To collect only system events that have an ID of 1001, you would use the following XPath query: //*[System/@EventID=1001] This query will select all nodes in the XML document where the System element has an EventID attribute equal to 1001. SQL and KQL are not supported for filtering events from Windows System event logs.
upvoted 4 times
...
Peter6529
1 year, 1 month ago
Selected Answer: C
KQL is the correct
upvoted 1 times
...
Vestibal
1 year, 1 month ago
Selected Answer: B
To collect specific events from Windows System event logs, such as those with an Event ID of 1001, you should use an XPath query. XPath is a query language that can be used to filter XML data, which is the format used by Windows Event Logs. In Azure Monitor, when configuring data collection rules for collecting Windows event log data, XPath queries are used to specify the criteria for the events you want to collect. So, the correct answer is: B. XPath
upvoted 1 times
...
Hillah
1 year, 1 month ago
B..Correct https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal
upvoted 2 times
...
XtraWest
1 year, 1 month ago
Selected Answer: C
KQL: For the log query, you'll need to use a custom Kusto Query Language (KQL) query. In this case, you want to collect System events with an ID of 1001.
upvoted 2 times
...
Shaanwar2001
1 year, 2 months ago
To specify more filters, use custom configuration and specify an XPath that filters out the events you don't need. XPath entries are written in the form LogName!XPathQuery. For example, you might want to return only events from the Application event log with an event ID of 1035. The XPathQuery for these events would be *[System[EventID=1035]]. Because you want to retrieve the events from the Application event log, the XPath is Application!*[System[EventID=1035]] https://learn.microsoft.com/th-th/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal#filter-events-using-xpath-queries
upvoted 3 times
...
KMLearn2
1 year, 2 months ago
Selected Answer: B
Custom data source in Azure Portal says: "Use XPath queries to filter event logs and limit data collection"
upvoted 6 times
...
Nighty470
1 year, 2 months ago
When you are at 'Add data source' during DCR creation, under Custom, you are faced with: "Use XPath queries to filter event logs and limit data collection."
upvoted 1 times
Nighty470
1 year, 2 months ago
Also in Event Viewer there is an option to see Details in XML format "XML View" so I'm pretty sure answer is XPath.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...