Azure Monitor Agent with data collection rule doesnt collect events

New Contributor

Hello together,


i have to arc enabled on-prem windows server VMs and have a DCR configured for collecting specific Eventlogs:



"dataSources": {
            "performanceCounters": [
                    "streams": [
                    "samplingFrequencyInSeconds": 10,
                    "counterSpecifiers": [
                        "\\Processor Information(_Total)\\% Processor Time",
                        "\\System\\System Up Time",
                        "\\Memory\\Available Bytes",
                        "\\LogicalDisk(*)\\% Free Space"
                    "name": "perfCounterDataSource10"
            "windowsEventLogs": [
                    "streams": [
                    "xPathQueries": [
                        "Veeam Backup!*[System[EventID=190]]",
                        "System!*[System[EventID=7036] and System/Provider[@Name='Service Control Manager'] and EventData/Data[@Name='param1']='Themes' or EventData/Data[@Name='param1']='Windows Update']"
                    "name": "eventLogsDataSource"



For testing purpose, i want the event logs regarding Windows Update Service and Themes Service. (and Veeam Backup)

But doesn't receive any eventlogs? I would need some help to troubleshoot a scenario like this.


Thank you very much in advance!

1 Reply


I have very very recently (yesterday) enabled Log Collection extending to System Events on an Azure Arc enabled server.

How I accomplished this was as follows

In the Workspace that ARC is using, I opened "Agents", then went to Data Collection Rules. There is already a default collection rule, so I added to it a Windows Event Log.

Now, here I had some funny issues. My goal was to ingest Veeam Agent logs. But for whatever reason, if i only put the XPATH below, it never submitted.

Veeam Agent!*[System[(EventID=190 or EventID=191)]]


Once i included some regular Event Logs, then it allowed me add the above.


I left it overnight, as it didnt scrape the event log for previous entries.


This morning when I opened the ARC enabled server, and went to its logs, i was able to run the KQL

| where Source contains "Veeam"

and i got back last nights success.