Forum Discussion
Solved
Sentinel - Windows Forwarded Events Connector Ingestion issue
Hello, In Microsoft Sentinel we have enabled the "Windows Forwarded Events (Preview)" Data Connector but no logs are coming. Here are the details of the setup: Windows Server 2019 (Azure Ar...
- Did you try and remove the quotes, I don't have mine setup anymore but I think you don't need them? e.g.
ForwardedEvents!*
I assume you are aware the data goes into this Table: WindowsEvents
CliveWatsonThanks for your reply.
I removed the quotes and DCR changed from "Custom" to AllEvents":
Still no logs received.
Thank you,
Take a look at https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369 and especially the Get-WinEvent to test that xpath is working
- Finally and after an hour of removing quotes from "ForwardedEvents!*" the logs started coming. Happy also to see that in the column "Computer" we can see the computer client that sends its logs to WEC server.
Furthermore and except from the ASIM we expecting from MS Analytic Rules Template regarding "WindowsEvent" table.
Thank you very much.
NehaSingh0703Microsoft
gregoval Did you start receiving logs for all events or for custom events after making the above changes.
I am also facing the exact issue
- So pleased this worked (eventually).
