Review events of a File Server de Windows with azure Monitor

Karlos_Mar · ‎Jul 17 2020

Hello, I am looking for a way to be able to consult the events that I get from my file server onpremise with azure monitor.

Some can give me some idea of how to do it.?

Noa Kuperberg · ‎Jul 29 2020

Hi @Karlos_Mar,

Not sure what exactly you need here. To collect events from your server, you should install a Log Analytics agent on it (read more here).

If you're already collecting logs and need help analyzing them - please explain what data you want to get from your logs.

Thanks!

David Pazdera · ‎Jul 30 2020

Hi,

I agree with @Noa Kuperberg , you need to ensure you get your on-premises server logs (and / or metrics) to an Azure Monitor workspace, where you can analyze it, visualize it, create alerts, etc. You could then create a Kusto query that would search for events from that particular machine or even for specific events (IDs, sources, etc.).

I would only add that an alternative to installing a MMA agent to your server(s) would be integrating your existing SCOM environment with Azure Monitor, but obviously only in case you have one :)

Have a nice day.

Karlos_Mar · ‎Aug 03 2020

Hello, Noa

I have a local on-premises server that is as a file server, this one already has auditing enabled for (access object), the server also has AMA and at the Azure Monitor level Security Center is enabled However there are event IDs that when I make the query kusto do not come out, 4659

Now if I execute the query 4663 sale but it does not bring me the information that an object has been deleted, if I go to the local Event Viewer of the team the event appears even 4659.

Again in the case of event id 4663 i observe that in the query it brings me information about the event but taken from the XML.

Karlos_Mar · ‎Aug 03 2020

Hello, I have a local on-premises server that is as a file server, this one already has auditing enabled for (access object), the server also has AMA and at the Azure Monitor level Security Center is enabled However there are event IDs that when I make the query kusto do not come out, 4659

Now if I execute the query 4663 sale but it does not bring me the information that an object has been deleted, if I go to the local Event Viewer of the team the event appears even 4659.

Again, in the case of id. Event 4663, I notice that the query brings me information about the event, but taken from the XML.

Where I can't get the access request: DELETE

Karlos_Mar · ‎Aug 03 2020

@David Pazdera @Noa Kuperberg

For example, mention Event ID 4659 at the local event viewer level if it appears, but in log analytics it does not appear.

For them my question if you can have control of all the events generated with Azure Monitor or to what extent.

I hope you can help me, regards.

Review events of a File Server de Windows with azure Monitor

Review events of a File Server de Windows with azure Monitor

Re: Review events of a File Server de Windows with azure Monitor

Re: Review events of a File Server de Windows with azure Monitor

Re: Review events of a File Server de Windows with azure Monitor

Re: Review events of a File Server de Windows with azure Monitor

Re: Review events of a File Server de Windows with azure Monitor

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Review events of a File Server de Windows with azure Monitor