Forum Discussion
MMA Agent - Multiple Workspaces
Hi community, so we have a on prem windows server who has installed the microsoft defender and is connected via mma to m365 defender portal. We also need the IIS and security logs from this machi...
In the second workspace used by Azure Sentinel, configure IIS by going to this blade - method from Azure Sentinel home screen:
Settings --> Workspsace Settings --> Agents Configuration - IIS logs
Settings --> Workspsace Settings --> Agents Configuration - IIS logs
Thx Clive! We have already done that.. we see only security logs and no iis logs. Have you also an idea regrading the mma agent and two workspaces? what is best practise here? thank you
- The good news is that you have Security Logs from those servers, so we know the MMA and the connection to Azure Monitor is ok. Do you have IIS enabled on at least one the servers and have you checked the local logs on the servers (are they rolling over hourly https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-iis-logs ?)? If that and this checks out https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.11/hh831775(v=ws.11) you may need a support call.
You see Security Events in the "SecurityEvent" table?
You checked IIS logs in "W3CIISLog" but there is nothing for the past few days
Sorry for the basic questions