Home

Adding events from (on-prem) Windows Servers

%3CLINGO-SUB%20id%3D%22lingo-sub-364293%22%20slang%3D%22en-US%22%3EAdding%20events%20from%20(on-prem)%20Windows%20Servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364293%22%20slang%3D%22en-US%22%3E%3CP%3EMe%20again...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20far%20as%20I%20can%20tell%2C%20there%20is%20no%20(default)%20connector%20to%20pull%20in%20events%20from%20(on-premises)%20Windows%20Servers.%20However%2C%20Log%20Analytics%20can%20be%20configured%20to%20pull%20them%20in%20using%20the%20Windows%20Server%20agent.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20it%20supported%20to%20use%20the%20Windows%20Server%20agent%20to%20add%20the%20events%20to%20the%20same%20workspace%20as%20used%20by%20Sentinel%20to%20build%20your%20own%20dashboard%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHaven't%20tested%2Ftried%20yet...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Michael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-366780%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20events%20from%20(on-prem)%20Windows%20Servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-366780%22%20slang%3D%22en-US%22%3EYes%2C%20that's%20what%20worked%20for%20me.%20I%20actually%20added%20Sentinel%20to%20an%20existing%20workspace%20that%20had%20log%20analytics%20from%20on-premise%20servers%2C%20but%20same%20idea.%20Everything%20then%20just%20showed%20up%20in%20Sentinel.%3C%2FLINGO-BODY%3E
Highlighted
MVP

Me again...

 

As far as I can tell, there is no (default) connector to pull in events from (on-premises) Windows Servers. However, Log Analytics can be configured to pull them in using the Windows Server agent.

 

Is it supported to use the Windows Server agent to add the events to the same workspace as used by Sentinel to build your own dashboard?

 

Haven't tested/tried yet...

 

-Michael

1 Reply
Highlighted
Yes, that's what worked for me. I actually added Sentinel to an existing workspace that had log analytics from on-premise servers, but same idea. Everything then just showed up in Sentinel.