SOLVED
Home

Windows Event Forwarding

%3CLINGO-SUB%20id%3D%22lingo-sub-731057%22%20slang%3D%22en-US%22%3EWindows%20Event%20Forwarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731057%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20trying%20to%20use%20Windows%20Event%20Forwarding%20to%20get%20logs%20in%20to%20Log%20Analytics.%20We%20have%20configured%20the%20security%20log%20to%20forward%20on%20to%20a%20central%20server.%20This%20works%20fine%20and%20I%20can%20see%20entries.%20We%20have%20set%20up%20Log%20Analytics%20to%20collect%20the%20%22ForwardedEvents%22%20log.%20From%20a%20restart%20of%20the%20Monitoring%20Agent%20service%20I%20can%20see%20the%20following%3A%3C%2FP%3E%3CP%3E%3CEM%3EThe%20Windows%20Event%20Log%20Provider%20has%20resumed%20processing%20the%20ForwardedEvents%20event%20log%20on%20computer%20'fqdn'%20after%20recovering%20from%20errors.%20%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3EOne%20or%20more%20workflows%20were%20affected%20by%20this.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20indicates%20that%20it%20should%20be%20collecting%20the%20logs%20fine.%20I%20cannot%20however%20for%20love%20nor%20money%20find%20these%20events%20in%20Log%20Analytics.%20Is%20there%20anything%20I%20am%20missing%3F%20Is%20this%20supported%3F%20I've%20googled%20the%20forwarded%20events%20in%20to%20LA%20and%20found%20the%20UserVoice%20post%20asking%20for%20this%20to%20work%20but%20not%20actually%20found%20anything%20on%20making%20it%20work.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-731057%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECustom%20Logs%20and%20Custom%20Fields%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-731668%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Event%20Forwarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F133019%22%20target%3D%22_blank%22%3E%40Mark%20Lewis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Security-Center%2FWEF-forwarding-to-Azure-Security-Centre-Log-Analytics%2Fm-p%2F662369%23M49%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Security-Center%2FWEF-forwarding-to-Azure-Security-Centre-Log-Analytics%2Fm-p%2F662369%23M49%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733626%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Event%20Forwarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3Eperfect%20thank%20you%20very%20much!%20Will%20keep%20an%20eye%20on%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Mark Lewis
Occasional Contributor

We are trying to use Windows Event Forwarding to get logs in to Log Analytics. We have configured the security log to forward on to a central server. This works fine and I can see entries. We have set up Log Analytics to collect the "ForwardedEvents" log. From a restart of the Monitoring Agent service I can see the following:

The Windows Event Log Provider has resumed processing the ForwardedEvents event log on computer 'fqdn' after recovering from errors.

 

One or more workflows were affected by this. 

 

This indicates that it should be collecting the logs fine. I cannot however for love nor money find these events in Log Analytics. Is there anything I am missing? Is this supported? I've googled the forwarded events in to LA and found the UserVoice post asking for this to work but not actually found anything on making it work.

Thanks

2 Replies

@Clive Watsonperfect thank you very much! Will keep an eye on it.