Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Windows 10 Event Logs not appearing on Log Analytics Workspace

Copper Contributor

Hello,

I have been trying to get the event logs from windows 10 devices to log analytics workspace at first. On the 'Agent Configuration' page under Log Analytics workspace, I have added Application and System Event Logs. Data for those events is appearing when I run the query. 

I want the logs for the below mentioned events:

Signin : 4648
Signout : 4647
UAC: 4673, 4688

 

Also apart from these events, on a broader aspect I would require the entire Security event logs to be visible under Log Analytics Workspace, but I cannot see any pre-defined 'Security' windows event log available on 'Agent Configuration' page in my Workspace. 

 

Can anyone explain if this is possible and how I would be able to bring the Security event logs to the Workspace?

 

Thank You!

 

RaghavJain_0-1634308622373.png

 

 

 

3 Replies
Security and AppLocker events are collected by default. See https://cda.ms/2WP for the list.

Which Data Connector do you have enabled? The Windows Security Events or the Security Events data connector?

P.S. Depending on how many Windows 10 devices you have, enabling event log collection on all in your org on-premises will be expensive.
Hi Rod,
Thank you for your response! Actually I did not enabled any connector on Sentinel. I thought there should be an option for Security Events under 'Agent Configuration' page in Log Analytics Workspace and as a result, the logs should be visible there. I have sentinel connected to this workspace as well. Let me just quickly enable it and test.
So, yes...you'll need to enable the Data Connector, but there's also an agent installation. The instructions for that are in the Data Connector pages.