Azure Monitor Agent with data collection rule doesnt collect events

New Contributor

Hello together,

 

i have to arc enabled on-prem windows server VMs and have a DCR configured for collecting specific Eventlogs:

 

 

"dataSources": {
            "performanceCounters": [
                {
                    "streams": [
                        "Microsoft-Perf",
                        "Microsoft-InsightsMetrics"
                    ],
                    "samplingFrequencyInSeconds": 10,
                    "counterSpecifiers": [
                        "\\Processor Information(_Total)\\% Processor Time",
                        "\\System\\System Up Time",
                        "\\Memory\\Available Bytes",
                        "\\LogicalDisk(*)\\% Free Space"
                    ],
                    "name": "perfCounterDataSource10"
                }
            ],
            "windowsEventLogs": [
                {
                    "streams": [
                        "Microsoft-Event"
                    ],
                    "xPathQueries": [
                        "Veeam Backup!*[System[EventID=190]]",
                        "System!*[System[EventID=7036] and System/Provider[@Name='Service Control Manager'] and EventData/Data[@Name='param1']='Themes' or EventData/Data[@Name='param1']='Windows Update']"
                    ],
                    "name": "eventLogsDataSource"
                }
            ]
        },

 

 

For testing purpose, i want the event logs regarding Windows Update Service and Themes Service. (and Veeam Backup)

But doesn't receive any eventlogs? I would need some help to troubleshoot a scenario like this.

 

Thank you very much in advance!

 
1 Reply

@nexus-dave 

I have very very recently (yesterday) enabled Log Collection extending to System Events on an Azure Arc enabled server.


How I accomplished this was as follows


In the Workspace that ARC is using, I opened "Agents", then went to Data Collection Rules. There is already a default collection rule, so I added to it a Windows Event Log.

Now, here I had some funny issues. My goal was to ingest Veeam Agent logs. But for whatever reason, if i only put the XPATH below, it never submitted.

Veeam Agent!*[System[(EventID=190 or EventID=191)]]

 

Once i included some regular Event Logs, then it allowed me add the above.

 

I left it overnight, as it didnt scrape the event log for previous entries.

 

This morning when I opened the ARC enabled server, and went to its logs, i was able to run the KQL

Event 
| where Source contains "Veeam"

and i got back last nights success.