cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Send Windows Event Logs Into Log Analytics Workpace

shockotechcom
Brass Contributor

‎Jun 25 2020 04:55 PM - last edited on ‎Apr 08 2022 10:30 AM by

‎Jun 25 2020 04:55 PM - last edited on ‎Apr 08 2022 10:30 AM by

Send Windows Event Logs Into Log Analytics Workpace

I have some on-premise servers where I would like to send specific Windows event log IDs to a Log Analytics workspace. I see I can download the MMA agent. How to configure it to only send specific Event IDs?

Labels:
8,316 Views
0 Likes
5 Replies
Reply
5 Replies
JK_UK

‎Jun 28 2020 06:37 AM

‎Jun 28 2020 06:37 AM

Re: Send Windows Event Logs Into Log Analytics Workpace

@shockotechcom I don't think you can send specific event log IDs.

You can send specific event logs (Application, System etc) and specific types ie Error, Warning & Info but not an actual ID.

You would normally then use Kusto queries on the logs ingested into Log Analytics to filter for specific ID's and then trigger alerts/runbooks/logic apps etc.

 

1 Like
Reply
Robin Clive-Matthews

‎Feb 26 2021 07:45 AM

‎Feb 26 2021 07:45 AM

Re: Send Windows Event Logs Into Log Analytics Workpace

Is this definitely true? Azure Sentinel gives you preconfigured options for only sending certain Security Event IDs, see https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events.
It seems like the functionlity to only send specific events from certain logs is there in Microsoft Monitoring Agent, but I've yet found any info on how we can configure that ourselves.
Sending everything from the System log on all my devices would cost way too much, and I am only interested in a few events.
0 Likes
Reply
hspinto

‎Feb 27 2021 03:21 PM

‎Feb 27 2021 03:21 PM

Re: Send Windows Event Logs Into Log Analytics Workpace

The ability to send specific Event logs in MMA exists in some solutions, such as Azure Defender or Sentinel. But other than specific solutions, you can't have granular control over event log capture. However, the new Azure Monitor Agent (in Preview) will be able to do that and much more. Have a look here: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview
1 Like
Reply
Robin Clive-Matthews

‎Mar 01 2021 01:04 AM

‎Mar 01 2021 01:04 AM

Re: Send Windows Event Logs Into Log Analytics Workpace

Sounds good if you're wanting to monitor VMs in Azure, but I am using Azure Sentinel to pull logs from laptops, and it seems Azure Monitor is (currently) not interested in physical stuff.
0 Likes
Reply
hspinto

‎Mar 01 2021 06:29 AM

‎Mar 01 2021 06:29 AM

Re: Send Windows Event Logs Into Log Analytics Workpace

The Azure Monitor Agent works with Azure Arc onboarded servers. It doesn't work yet with client OSes. https://docs.microsoft.com/en-us/azure/azure-arc/servers/agent-overview#supported-operating-systems
0 Likes
Reply