Windows 2003 events in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2162255%22%20slang%3D%22en-US%22%3EWindows%202003%20events%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162255%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20customer%20asking%20me%20how%20to%20get%20Windows%202003%20events%20into%20Sentinel.%20Obviously%20the%20MMA%20Sentinel%20Agent%20won't%20run%20on%20the%20host%2C%20but%20I'm%20thinking%20that%20event%20forwarding%20from%202003%20to%20a%20supported%20system%2C%20and%20then%20scooping%20the%20logs%20from%20the%20supported%20system%20will%20work.%20Has%20anyone%20done%20this%2C%20yet%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2172858%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%202003%20events%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2172858%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20currently%20doesn't%20support%20WEF%2C%20though%20this%20is%20planned.%20Meanwhile%2C%20you%20can%20use%203rd%20party%20alternatives%20such%20as%20NXlog%20to%20translate%20to%20Syslog%20or%20WinLogBeat%20and%20Logstash%20to%20a%20custom%20log.%3C%2FLINGO-BODY%3E
Contributor

Hello everyone!

 

I have a customer asking me how to get Windows 2003 events into Sentinel. Obviously the MMA Sentinel Agent won't run on the host, but I'm thinking that event forwarding from 2003 to a supported system, and then scooping the logs from the supported system will work. Has anyone done this, yet?

 

Cheers!

2 Replies
Azure Sentinel currently doesn't support WEF, though this is planned. Meanwhile, you can use 3rd party alternatives such as NXlog to translate to Syslog or WinLogBeat and Logstash to a custom log.
Thank you! We'll go that route, I think.