Forum Discussion
MMA Agent - Multiple Workspaces
Hi community,
so we have a on prem windows server who has installed the microsoft defender and is connected via mma to m365 defender portal. We also need the IIS and security logs from this machine in sentinel and we add a second workspace id (Log Analytics). We can see the security logs but no IIS logs and also we got a message in the defender portal.. (MDE Client Analyzer)
What is best practice in this case?
Thank you!
3 Replies
- In the second workspace used by Azure Sentinel, configure IIS by going to this blade - method from Azure Sentinel home screen:
Settings --> Workspsace Settings --> Agents Configuration - IIS logs- Thx Clive! We have already done that.. we see only security logs and no iis logs. Have you also an idea regrading the mma agent and two workspaces? what is best practise here? thank you
- The good news is that you have Security Logs from those servers, so we know the MMA and the connection to Azure Monitor is ok. Do you have IIS enabled on at least one the servers and have you checked the local logs on the servers (are they rolling over hourly https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-iis-logs ?)? If that and this checks out https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.11/hh831775(v=ws.11) you may need a support call.
You see Security Events in the "SecurityEvent" table?
You checked IIS logs in "W3CIISLog" but there is nothing for the past few days
Sorry for the basic questions
