Forum Discussion
Log Collection using a Log Analytics Agent from a Windows Event Collector
Hi,
To collect Security events from multiple windows hosts, a Windows Event Collector has been set up in the environment that we want to monitor. Can we forward all events from this collector using a Sentinel agent? If so, is there an additional way to filter the events forwarded, except for the standard set of options (minimal, full, recommended), for example based on original host?
Thanks in advance!
7 Replies
- Ofer_Shezaf
Microsoft
- Support for WEF is in private preview, to explore it and provide feedback, Join our Private Previews program.
- A new generation of the Log Analtytics agent that will suppport filtering is also expected to start preview in the next few months.
Ofer_Shezaf , I can see the option to enable collection for forwarded events in Sentinel once Log analytics is deployed, is till still not in GA ? if not any ETA on when its expected to be in GA.
- Ofer_Shezaf
srikrame Where can you see this option?
Hi Ofer_Shezaf ,
Do you have more news about WEF support ?
I installed LA agent on a WEC server and I can retrieve events from the WEC host itself but adding other sources (ex: ForwardedEvents, custom channels from the subscriptions, ...) from `Log Analytics workspaces > ... > Advanced Settings > Data > Windows Event Logs > Collect events from the following event logs` is not working. Note that ForwardedEvents is suggested in the dropdown from this blade.
Any suggestions ?
Best regards
Laurent_CardonI'm just discovering this topic and the question may be stupid...
Which use cases are we targeting using WEF collector to push info to Sentinel ? In case we have Windows Defender on the client couldn't we consider this is sufficient to guarantee the endpoint security?
Laurent
