Forum Discussion
Sysmon log collection via Azure monitor agent (AMA)
Hi Team
I have a quick question regarding Azure monitoring agent. I want to capture Sysmon logs from a Azure machine which has AMA extension installed and data collection rule set to all events. I have downloaded Sysmon package and configured it on the machine, however is there a link to docs which i can follow to configure DCR (Rule) in Azure sentinel to allow Sysmon logs to be capture by AMA agent?
With LA agent its quite simple to do the same as i can just go to Agent configurations and add > Microsoft-Windows-Sysmon/Operational and logs and its all good. Am i missing something ?
Thanks
- Updated blog post on this topic: https://jeffreyappel.nl/deploy-sysmon-and-collect-data-with-sentinel-and-the-ama-agent/
4 Replies
- KenzProfile
Microsoft
Same question. Next year. It looks like you would have to configure some type of data collection rule (DCR) using xpath. Or some other coding. Has anybody done this? And yes, it appears far more complex with the AMA. Thanks, and I hope I am wrong.A workaround to get the logs is to add - "Windows event log" configuration under the "Legacy agents managment" section of LA workspace. Check the screenshot below :
I am sure there are better ways via DCR to do this. 🙂
- Updated blog post on this topic: https://jeffreyappel.nl/deploy-sysmon-and-collect-data-with-sentinel-and-the-ama-agent/
