Forum Discussion
Azure Sentinel for On premises without MMA agent
Hi I have a use case where customer don't want to install any MMA agent on their machines/NEs to collect the data due to some security reason so how do we address such situation and what is the work...
CliveWatson
Microsoft
MicrosoftFor Linux, forwarding is supported, Windows Event Forwarding (WEF) will be added into the Azure Monitoring Agent (preview) in the future. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
Thanks Clive. So if i understood correctly then it is not necessary to installed the Monitoring agent on any machines or nodes to collect the logs required for sentinel. I am referring this below URL: https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources) for on premise design where all the customer side logs will be placed in syslog forwarder Linux based machine ( Placed at customer premise ) so that sentinel can collect it. So this will avoid placing MMA on any customer machines ( Windows /Linux/NEs ). what is your views or any showstopper ?
- Ofer_Shezaf
kausiktsi : as CliveWatson stated, remove collection is currently possible only for Linux and other systems supporting Syslog (which would exclude Windows). See here for details. Remote collection for Windows is planned in the near future.
