Forum Discussion
Azure Monitor Agent with data collection rule doesnt collect events
Hello together,
i have to arc enabled on-prem windows server VMs and have a DCR configured for collecting specific Eventlogs:
"dataSources": {
"performanceCounters": [
{
"streams": [
"Microsoft-Perf",
"Microsoft-InsightsMetrics"
],
"samplingFrequencyInSeconds": 10,
"counterSpecifiers": [
"\\Processor Information(_Total)\\% Processor Time",
"\\System\\System Up Time",
"\\Memory\\Available Bytes",
"\\LogicalDisk(*)\\% Free Space"
],
"name": "perfCounterDataSource10"
}
],
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Veeam Backup!*[System[EventID=190]]",
"System!*[System[EventID=7036] and System/Provider[@Name='Service Control Manager'] and EventData/Data[@Name='param1']='Themes' or EventData/Data[@Name='param1']='Windows Update']"
],
"name": "eventLogsDataSource"
}
]
},
For testing purpose, i want the event logs regarding Windows Update Service and Themes Service. (and Veeam Backup)
But doesn't receive any eventlogs? I would need some help to troubleshoot a scenario like this.
Thank you very much in advance!
1 Reply
I have very very recently (yesterday) enabled Log Collection extending to System Events on an Azure Arc enabled server.
How I accomplished this was as follows
In the Workspace that ARC is using, I opened "Agents", then went to Data Collection Rules. There is already a default collection rule, so I added to it a Windows Event Log.Now, here I had some funny issues. My goal was to ingest Veeam Agent logs. But for whatever reason, if i only put the XPATH below, it never submitted.
Veeam Agent!*[System[(EventID=190 or EventID=191)]]Once i included some regular Event Logs, then it allowed me add the above.
I left it overnight, as it didnt scrape the event log for previous entries.
This morning when I opened the ARC enabled server, and went to its logs, i was able to run the KQL
Event | where Source contains "Veeam"and i got back last nights success.
