Home

Adding events from (on-prem) Windows Servers

%3CLINGO-SUB%20id%3D%22lingo-sub-364293%22%20slang%3D%22en-US%22%3EAdding%20events%20from%20(on-prem)%20Windows%20Servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364293%22%20slang%3D%22en-US%22%3E%3CP%3EMe%20again...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20far%20as%20I%20can%20tell%2C%20there%20is%20no%20(default)%20connector%20to%20pull%20in%20events%20from%20(on-premises)%20Windows%20Servers.%20However%2C%20Log%20Analytics%20can%20be%20configured%20to%20pull%20them%20in%20using%20the%20Windows%20Server%20agent.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20it%20supported%20to%20use%20the%20Windows%20Server%20agent%20to%20add%20the%20events%20to%20the%20same%20workspace%20as%20used%20by%20Sentinel%20to%20build%20your%20own%20dashboard%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHaven't%20tested%2Ftried%20yet...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Michael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-366780%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20events%20from%20(on-prem)%20Windows%20Servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-366780%22%20slang%3D%22en-US%22%3EYes%2C%20that's%20what%20worked%20for%20me.%20I%20actually%20added%20Sentinel%20to%20an%20existing%20workspace%20that%20had%20log%20analytics%20from%20on-premise%20servers%2C%20but%20same%20idea.%20Everything%20then%20just%20showed%20up%20in%20Sentinel.%3C%2FLINGO-BODY%3E
Michael Van Horenbeeck
MVP

Me again...

 

As far as I can tell, there is no (default) connector to pull in events from (on-premises) Windows Servers. However, Log Analytics can be configured to pull them in using the Windows Server agent.

 

Is it supported to use the Windows Server agent to add the events to the same workspace as used by Sentinel to build your own dashboard?

 

Haven't tested/tried yet...

 

-Michael

1 Reply
Yes, that's what worked for me. I actually added Sentinel to an existing workspace that had log analytics from on-premise servers, but same idea. Everything then just showed up in Sentinel.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies