Reviewing logs from onprem virtual machine on Sentinel

Visitor

Hello community,

 

anyone who could point me with some information on regards reviewing logs on sentinel?

Idea will be to identify logs from a onprem virtual machine running Windows 2008.

 

Sentinel agent has been succesfully deployed and configured, however I'm not able to identify events regarding this vm.

 

thanks in advance,

luciano

2 Replies

@lucianoARG 

 

1st - how long ago was the agent installed?

 

2nd - check to see make sure the agent is configured for the proper Log Analytics workspace.

 

3rd - which Data Connectors do you have enabled? The following support the agent:

  • Windows Security Events
  • DNS
  • Windows Firewall
  • Windows Event Forwarder (WEF)
  • IIS
  • Local files
  • Wire Data
  • Syslog

 

4th - Have you completed the agent configuration for the Log Analytics workspace? Go into the Data blade in Advanced Settings for the Log Analytics Workspace assigned to Sentinel:

 

  • In Azure Sentinel, select Workspace Settings, Advanced Settings then select Data.
  • You can add additional Windows event logs to be streamed to your Sentinel workspace.

@lucianoARG One other thing you can look at is there a Heartbeat entry for the computers.  This helps answers some of Rod Trent's questions he posted.