SOLVED

Sentinel - Windows Forwarded Events Connector Ingestion issue

Occasional Contributor

Hello,

 

In Microsoft Sentinel we have enabled the "Windows Forwarded Events (Preview)" Data Connector but no logs are coming.  Here are the details of the setup:

 

  • Windows Server 2019 (Azure Arc Enabled)
  • Data Collection Rule "ForwardedEvents!*"
  • AzureMonitorWindowsAgent has installed to Azure-Arc enabled Windows Server
  • WEC is enabled to the Windows Server and ForwardedEvents are normally populated to the Event Viewer.

 

 

gregoval_0-1636102937091.png

 

gregoval_1-1636103448895.png

 

Is the are any additional action that should be done to the WEC or DCR side?

 

Thank you,

Greg

 

 

 

 

5 Replies
best response confirmed by gregoval (Occasional Contributor)
Solution
Did you try and remove the quotes, I don't have mine setup anymore but I think you don't need them? e.g.
ForwardedEvents!*

I assume you are aware the data goes into this Table: WindowsEvents

@CliveWatsonThanks for your reply.

I removed the quotes and DCR changed from "Custom" to AllEvents":

gregoval_0-1636111425405.png

Still no logs received.

Thank you,

Finally and after an hour of removing quotes from "ForwardedEvents!*" the logs started coming. Happy also to see that in the column "Computer" we can see the computer client that sends its logs to WEC server.
Furthermore and except from the ASIM we expecting from MS Analytic Rules Template regarding "WindowsEvent" table.

Thank you very much.
So pleased this worked (eventually).