Forum Discussion
gregoval
Nov 05, 2021Copper Contributor
Sentinel - Windows Forwarded Events Connector Ingestion issue
Hello,
In Microsoft Sentinel we have enabled the "Windows Forwarded Events (Preview)" Data Connector but no logs are coming. Here are the details of the setup:
- Windows Server 2019 (Azure Arc Enabled)
- Data Collection Rule "ForwardedEvents!*"
- AzureMonitorWindowsAgent has installed to Azure-Arc enabled Windows Server
- WEC is enabled to the Windows Server and ForwardedEvents are normally populated to the Event Viewer.
Is the are any additional action that should be done to the WEC or DCR side?
Thank you,
Greg
- Did you try and remove the quotes, I don't have mine setup anymore but I think you don't need them? e.g.
ForwardedEvents!*
I assume you are aware the data goes into this Table: WindowsEvents
6 Replies
- CliveWatsonFormer EmployeeDid you try and remove the quotes, I don't have mine setup anymore but I think you don't need them? e.g.
ForwardedEvents!*
I assume you are aware the data goes into this Table: WindowsEvents- gregovalCopper Contributor
CliveWatsonThanks for your reply.
I removed the quotes and DCR changed from "Custom" to AllEvents":
Still no logs received.
Thank you,
- CliveWatsonFormer EmployeeTake a look at https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369 and especially the Get-WinEvent to test that xpath is working