Forum Discussion
gregoval
Nov 05, 2021Copper Contributor
Sentinel - Windows Forwarded Events Connector Ingestion issue
Hello, In Microsoft Sentinel we have enabled the "Windows Forwarded Events (Preview)" Data Connector but no logs are coming. Here are the details of the setup: Windows Server 2019 (Azure Ar...
- Nov 05, 2021Did you try and remove the quotes, I don't have mine setup anymore but I think you don't need them? e.g.
ForwardedEvents!*
I assume you are aware the data goes into this Table: WindowsEvents
gregoval
Nov 05, 2021Copper Contributor
CliveWatsonThanks for your reply.
I removed the quotes and DCR changed from "Custom" to AllEvents":
Still no logs received.
Thank you,
CliveWatson
Nov 05, 2021Former Employee
Take a look at https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369 and especially the Get-WinEvent to test that xpath is working
- gregovalNov 08, 2021Copper ContributorFinally and after an hour of removing quotes from "ForwardedEvents!*" the logs started coming. Happy also to see that in the column "Computer" we can see the computer client that sends its logs to WEC server.
Furthermore and except from the ASIM we expecting from MS Analytic Rules Template regarding "WindowsEvent" table.
Thank you very much.- NehaSingh0703Jan 11, 2022
Microsoft
gregoval Did you start receiving logs for all events or for custom events after making the above changes.
I am also facing the exact issue
- Clive_WatsonNov 08, 2021Bronze ContributorSo pleased this worked (eventually).