Forum Discussion
Solved
Sentinel - Windows Forwarded Events Connector Ingestion issue
Hello,
In Microsoft Sentinel we have enabled the "Windows Forwarded Events (Preview)" Data Connector but no logs are coming. Here are the details of the setup:
- Windows Server 2019 (Azure Arc Enabled)
- Data Collection Rule "ForwardedEvents!*"
- AzureMonitorWindowsAgent has installed to Azure-Arc enabled Windows Server
- WEC is enabled to the Windows Server and ForwardedEvents are normally populated to the Event Viewer.
Is the are any additional action that should be done to the WEC or DCR side?
Thank you,
Greg
- Did you try and remove the quotes, I don't have mine setup anymore but I think you don't need them? e.g.
ForwardedEvents!*
I assume you are aware the data goes into this Table: WindowsEvents
6 Replies
- Did you try and remove the quotes, I don't have mine setup anymore but I think you don't need them? e.g.
ForwardedEvents!*
I assume you are aware the data goes into this Table: WindowsEventsCliveWatsonThanks for your reply.
I removed the quotes and DCR changed from "Custom" to AllEvents":
Still no logs received.
Thank you,
- Take a look at https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369 and especially the Get-WinEvent to test that xpath is working
