Forum Discussion
shockotechcom
Jun 25, 2020Iron Contributor
Send Windows Event Logs Into Log Analytics Workpace
I have some on-premise servers where I would like to send specific Windows event log IDs to a Log Analytics workspace. I see I can download the MMA agent. How to configure it to only send specific Event IDs?
- JK_UKBrass Contributor
shockotechcom I don't think you can send specific event log IDs.
You can send specific event logs (Application, System etc) and specific types ie Error, Warning & Info but not an actual ID.
You would normally then use Kusto queries on the logs ingested into Log Analytics to filter for specific ID's and then trigger alerts/runbooks/logic apps etc.
- RobinCMBrass ContributorIs this definitely true? Azure Sentinel gives you preconfigured options for only sending certain Security Event IDs, see https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events.
It seems like the functionlity to only send specific events from certain logs is there in Microsoft Monitoring Agent, but I've yet found any info on how we can configure that ourselves.
Sending everything from the System log on all my devices would cost way too much, and I am only interested in a few events.- hspinto
Microsoft
The ability to send specific Event logs in MMA exists in some solutions, such as Azure Defender or Sentinel. But other than specific solutions, you can't have granular control over event log capture. However, the new Azure Monitor Agent (in Preview) will be able to do that and much more. Have a look here: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview