SOLVED

Governance log way to see source of logs?

Microsoft

In the MDCA governance log, you can see all of the uploaded logs and current status.  The question is when it has errors, or of there is less data than you think, how can you tell where the data is coming from?  what if you have multiple logs going to a single collector?  Is there anyway to get the identity of source of the individual files?  What collector and what appliance?

2 Replies
best response confirmed by michaelblanchard (Microsoft)
Solution

Hi @michaelblanchard,

Yes, there is a way to see the source of the logs in the MDCA governance log.

The column "Source" shows the IP address of the device that uploaded the log.

If you have multiple logs going to a single collector, you can use this information to identify the source of each log.

Microsoft Defender for Cloud Apps documentation: https://learn.microsoft.com/en-us/defender-cloud-apps/troubleshooting-cloud-discovery

Example:

The following table shows an example of a governance log with the source column:

Time Source Status
2023-09-27 11:32:11192.168.1.100Success
2023-09-27 11:32:12192.168.1.101Failure
2023-09-27 11:32:13192.168.1.102Success
 

In this example, you can see that the log from 192.168.1.101 failed to upload successfully. You can use this information to investigate the issue further.

 

If you are using a log collector, you can also use the collector's logs to identify the source of each log. The collector logs should show the IP address of the device that uploaded the log, as well as the time and date of the upload.

You can also use the MDCA governance log to identify the collector and appliance that uploaded each log. The column "Collector" shows the IP address of the collector, and the column "Appliance" shows the type of appliance that was used to collect the logs.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

I don't see that field in the governance log, only "initiator"
1 best response

Accepted Solutions
best response confirmed by michaelblanchard (Microsoft)
Solution

Hi @michaelblanchard,

Yes, there is a way to see the source of the logs in the MDCA governance log.

The column "Source" shows the IP address of the device that uploaded the log.

If you have multiple logs going to a single collector, you can use this information to identify the source of each log.

Microsoft Defender for Cloud Apps documentation: https://learn.microsoft.com/en-us/defender-cloud-apps/troubleshooting-cloud-discovery

Example:

The following table shows an example of a governance log with the source column:

Time Source Status
2023-09-27 11:32:11192.168.1.100Success
2023-09-27 11:32:12192.168.1.101Failure
2023-09-27 11:32:13192.168.1.102Success
 

In this example, you can see that the log from 192.168.1.101 failed to upload successfully. You can use this information to investigate the issue further.

 

If you are using a log collector, you can also use the collector's logs to identify the source of each log. The collector logs should show the IP address of the device that uploaded the log, as well as the time and date of the upload.

You can also use the MDCA governance log to identify the collector and appliance that uploaded each log. The column "Collector" shows the IP address of the collector, and the column "Appliance" shows the type of appliance that was used to collect the logs.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

View solution in original post