Forum Discussion

nexus-dave's avatar
nexus-dave
Copper Contributor
Jul 21, 2021

Azure Monitor Agent with data collection rule doesnt collect events

Hello together,   i have to arc enabled on-prem windows server VMs and have a DCR configured for collecting specific Eventlogs:     "dataSources": { "performanceCounters": [ ...
azure monitor
Query Language
jimmy-phelan's avatar
jimmy-phelan
Copper Contributor
May 05, 2023

nexus-dave 

I have very very recently (yesterday) enabled Log Collection extending to System Events on an Azure Arc enabled server.


How I accomplished this was as follows


In the Workspace that ARC is using, I opened "Agents", then went to Data Collection Rules. There is already a default collection rule, so I added to it a Windows Event Log.

Now, here I had some funny issues. My goal was to ingest Veeam Agent logs. But for whatever reason, if i only put the XPATH below, it never submitted.

Veeam Agent!*[System[(EventID=190 or EventID=191)]]

 

Once i included some regular Event Logs, then it allowed me add the above.

 

I left it overnight, as it didnt scrape the event log for previous entries.

 

This morning when I opened the ARC enabled server, and went to its logs, i was able to run the KQL

Event 
| where Source contains "Veeam"

and i got back last nights success.

Resources