Forum Discussion

AndrewX's avatar
AndrewX
Iron Contributor
Jun 01, 2019
Solved

WEF forwarding to Azure Security Centre / Log Analytics

Hello - I am hoping this is possible and a viable option.

 

I currently use Windows Event Forwarding (WEF) with Winlogbeat sending events off to Elasticsearch. Epic, this works great, why would i change this right?

 

  • Well i want to use Azure Log Analytics for my search platform, because i enjoy KutsoQL
  • I want to use the Azure security centre and Sentinel.
  • I already have Office365 Signin, Audit and Mailbox logs in Azure Log Analytics.

Is it possible to simply stick the OMS agent on my WEC/WEF server and send events into my Logs Analytics workspace?

 

If not, what is the best practice (and MS Solution) for Windows Event Management and Analysis?

Log Analytics
microsoft sentinel
security
  • Ofer_Shezaf's avatar
    Ofer_Shezaf
    Jun 16, 2019

    AndrewX 

     

    WEF support is currently in preview and still has some limitations. Contact me directly if you would like to join, and we can discuss whether the current support would work for you.

     

    As an alternative, you can continue to use CEF and winlogbeat and connect it to Sentinel using Logstash and the Logstash Log Analytics output plugin.

     

    ~ Ofer

18 Replies

Sort By
  • Ofer_Shezaf's avatar
    Ofer_Shezaf
    Icon for Microsoft rankMicrosoft
    Jun 16, 2019

    AndrewX 

     

    WEF support is currently in preview and still has some limitations. Contact me directly if you would like to join, and we can discuss whether the current support would work for you.

     

    As an alternative, you can continue to use CEF and winlogbeat and connect it to Sentinel using Logstash and the Logstash Log Analytics output plugin.

     

    ~ Ofer

    • SimonR's avatar
      SimonR
      Brass Contributor
      Mar 24, 2020

      Ofer_Shezaf is this WEF preview still available/accessible? I'm looking at forwarding our current WEF setup to Azure Sentinel for easier analysis and came across this post when trying to configure the setup.

    • DannyC_Gamma's avatar
      DannyC_Gamma
      Brass Contributor
      Jul 23, 2019

      AndrewX 

       

      Hey Andrew

       

      Did you get a response from Microsoft on this - I'm looking at similar scenario and I'd like to get access to the WEF connector also

       

      I did reach out to Ofer_Shezaf but I'm yet to hear back

       

      Thanks

      Danny

      • Ofer_Shezaf's avatar
        Ofer_Shezaf
        Icon for Microsoft rankMicrosoft
        Jul 23, 2019
        Hi Danny: sorry, missed your message. Can you send me an e-mail to discuss the private preview (ofer.shezaf@microsoft.com)
  • Hannes_LG's avatar
    Hannes_LG
    Brass Contributor
    Jun 03, 2019
    Hi,

    WEF isn’t supported at the moment.
    A possible workaround is to write a custom powershell eventhandler and send the information periodically to log analytics.

    I’ve created a similar solution for a NetApp filer in the past.

    Regards,
    Hannes

Resources