Reviewing logs from onprem virtual machine on Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1137606%22%20slang%3D%22en-US%22%3EReviewing%20logs%20from%20onprem%20virtual%20machine%20on%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137606%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eanyone%20who%20could%20point%20me%20with%20some%20information%20on%20regards%20reviewing%20logs%20on%20sentinel%3F%3C%2FP%3E%3CP%3EIdea%20will%20be%20to%20identify%20logs%20from%20a%20onprem%20virtual%20machine%20running%20Windows%202008.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESentinel%20agent%20has%20been%20succesfully%20deployed%20and%20configured%2C%20however%20I'm%20not%20able%20to%20identify%20events%20regarding%20this%20vm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20in%20advance%2C%3C%2FP%3E%3CP%3Eluciano%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1137666%22%20slang%3D%22en-US%22%3ERe%3A%20Reviewing%20logs%20from%20onprem%20virtual%20machine%20on%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137666%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F429061%22%20target%3D%22_blank%22%3E%40lucianoARG%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1st%20-%20how%20long%20ago%20was%20the%20agent%20installed%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2nd%20-%20check%20to%20see%20make%20sure%20the%20agent%20is%20configured%20for%20the%20proper%20Log%20Analytics%20workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3rd%20-%20which%20Data%20Connectors%20do%20you%20have%20enabled%3F%20The%20following%20support%20the%20agent%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWindows%20Security%20Events%3C%2FLI%3E%0A%3CLI%3EDNS%3C%2FLI%3E%0A%3CLI%3EWindows%20Firewall%3C%2FLI%3E%0A%3CLI%3EWindows%20Event%20Forwarder%20(WEF)%3C%2FLI%3E%0A%3CLI%3EIIS%3C%2FLI%3E%0A%3CLI%3ELocal%20files%3C%2FLI%3E%0A%3CLI%3EWire%20Data%3C%2FLI%3E%0A%3CLI%3ESyslog%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4th%20-%20Have%20you%20completed%20the%20agent%20configuration%20for%20the%20Log%20Analytics%20workspace%3F%20Go%20into%20the%20Data%20blade%20in%20Advanced%20Settings%20for%20the%20Log%20Analytics%20Workspace%20assigned%20to%20Sentinel%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIn%20Azure%20Sentinel%2C%20select%20%3CSTRONG%3EWorkspace%20Settings%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EAdvanced%20Settings%20%3C%2FSTRONG%3Ethen%20select%20%3CSTRONG%3EData%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20add%20additional%20Windows%20event%20logs%20to%20be%20streamed%20to%20your%20Sentinel%20workspace.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1137821%22%20slang%3D%22en-US%22%3ERe%3A%20Reviewing%20logs%20from%20onprem%20virtual%20machine%20on%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1137821%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F429061%22%20target%3D%22_blank%22%3E%40lucianoARG%3C%2FA%3E%26nbsp%3BOne%20other%20thing%20you%20can%20look%20at%20is%20there%20a%20Heartbeat%20entry%20for%20the%20computers.%26nbsp%3B%20This%20helps%20answers%20some%20of%20Rod%20Trent's%20questions%20he%20posted.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Visitor

Hello community,

 

anyone who could point me with some information on regards reviewing logs on sentinel?

Idea will be to identify logs from a onprem virtual machine running Windows 2008.

 

Sentinel agent has been succesfully deployed and configured, however I'm not able to identify events regarding this vm.

 

thanks in advance,

luciano

2 Replies

@lucianoARG 

 

1st - how long ago was the agent installed?

 

2nd - check to see make sure the agent is configured for the proper Log Analytics workspace.

 

3rd - which Data Connectors do you have enabled? The following support the agent:

  • Windows Security Events
  • DNS
  • Windows Firewall
  • Windows Event Forwarder (WEF)
  • IIS
  • Local files
  • Wire Data
  • Syslog

 

4th - Have you completed the agent configuration for the Log Analytics workspace? Go into the Data blade in Advanced Settings for the Log Analytics Workspace assigned to Sentinel:

 

  • In Azure Sentinel, select Workspace Settings, Advanced Settings then select Data.
  • You can add additional Windows event logs to be streamed to your Sentinel workspace.

@lucianoARG One other thing you can look at is there a Heartbeat entry for the computers.  This helps answers some of Rod Trent's questions he posted.