Forum Discussion

nexus-dave's avatar
nexus-dave
Copper Contributor
Jul 21, 2021

Azure Monitor Agent with data collection rule doesnt collect events

Hello together,

 

i have to arc enabled on-prem windows server VMs and have a DCR configured for collecting specific Eventlogs:

 

 

"dataSources": {
            "performanceCounters": [
                {
                    "streams": [
                        "Microsoft-Perf",
                        "Microsoft-InsightsMetrics"
                    ],
                    "samplingFrequencyInSeconds": 10,
                    "counterSpecifiers": [
                        "\\Processor Information(_Total)\\% Processor Time",
                        "\\System\\System Up Time",
                        "\\Memory\\Available Bytes",
                        "\\LogicalDisk(*)\\% Free Space"
                    ],
                    "name": "perfCounterDataSource10"
                }
            ],
            "windowsEventLogs": [
                {
                    "streams": [
                        "Microsoft-Event"
                    ],
                    "xPathQueries": [
                        "Veeam Backup!*[System[EventID=190]]",
                        "System!*[System[EventID=7036] and System/Provider[@Name='Service Control Manager'] and EventData/Data[@Name='param1']='Themes' or EventData/Data[@Name='param1']='Windows Update']"
                    ],
                    "name": "eventLogsDataSource"
                }
            ]
        },

 

 

For testing purpose, i want the event logs regarding Windows Update Service and Themes Service. (and Veeam Backup)

But doesn't receive any eventlogs? I would need some help to troubleshoot a scenario like this.

 

Thank you very much in advance!

 

1 Reply

  • jimmy-phelan's avatar
    jimmy-phelan
    Copper Contributor

    nexus-dave 

    I have very very recently (yesterday) enabled Log Collection extending to System Events on an Azure Arc enabled server.


    How I accomplished this was as follows


    In the Workspace that ARC is using, I opened "Agents", then went to Data Collection Rules. There is already a default collection rule, so I added to it a Windows Event Log.

    Now, here I had some funny issues. My goal was to ingest Veeam Agent logs. But for whatever reason, if i only put the XPATH below, it never submitted.

    Veeam Agent!*[System[(EventID=190 or EventID=191)]]

     

    Once i included some regular Event Logs, then it allowed me add the above.

     

    I left it overnight, as it didnt scrape the event log for previous entries.

     

    This morning when I opened the ARC enabled server, and went to its logs, i was able to run the KQL

    Event 
    | where Source contains "Veeam"

    and i got back last nights success.

Resources