Sending Windows security event logs from domain-joined on-premise Windows Servers

Copper Contributor

Hi all,

I have two on-premises Windows servers that only have domain joined to local domain controller. I understand that there was a forum to send logs through WEF via AMA collector - Forward On-Premises Windows Security Event Logs to Microsoft Sentinel - Microsoft Community Hub

 

However, there is a prerequisite when installing AMA agent, the machine must be domain joined to a Microsoft Entra tenant (AAD or Hybrid AAD machines), which enables the agent to fetch Microsoft Entra device tokens used to authenticate and fetch data collection rules from Azure. 

 

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client

 

The issue is the company won't allow those servers to have the hybrid joined, so how can I forward the security event log to Sentinel?

 

Thanks a lot.

1 Reply

@Jacky_Tse We have this setup and you don't need your on-prem machines to join an Azure-AD domain. However, you do need to onboard those two servers to Azure Arc to install the AMA. However, there is bit of configuration needs to be done for AMA, such as data collection rules. That is pretty much our setup for windows logs. All windows servers forward event logs to those two VMs, then these VMs send it to Sentinel using AMA that was installed through Arc.