Azure Sentinel Agent: Collecting from servers and workstations, on-prem and in the cloud

Published Aug 19 2019 01:43 PM 28.3K Views
Microsoft

This is part of a series of blogs on connectors. You might find what you are looking for also here:

 

My previous blog posts discussed collecting events from Azure PaaS resources and networking and security sources. But what about collecting from servers? Whether deployed in the cloud, on-prem VMs or even physical machines, those are probably still the biggest attack surface and therefore the most common sources of events.

 

To collect events from servers wherever those are deployed, use the Azure Log Analytics agent (also called "MMA" for Microsoft Monitoring Agent). The agent supports collecting from Windows machines as well as Linux. The agent can be installed manually or provisioned in Azure using Microsoft VM extensions for Windows or Linux.

 

Azure Sentinel connectors which utilize the agent 

 

The agent supports the following Sentinel connectors:

Once you enabled them through the Sentinel's Data Connectors, they will be collected by every agent configured to send data to the workspace.

 

Additional data streams collected by the Agent

 

However, the agent is not limited to this telemetry, and Azure Sentinel can collect the following additional data streams using the agent:

 

AKS and Containiners

 

To collect control and data plane telemtry from containers, including AKS, see Azure Monitor for containers and how to enable it.

Additional on-premises Microsoft telemetry

 

For completeness, n addition you can collect on-premises telemetry not using the agent for the following sources:

 

Agent deployment and management

 

 

Agent general data

 

 

Agent caching

The agent caches data, which helps prevent data loss in case of communication issues between the agent and the cloud. The following described this mechanism and how it can be controlled.

Linux

Output is controlled by modifying the agent configuration files. Specifically, the output configuration file, /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf . Modify the section below to control the Agent's caching behavior:
 
<match oms.blob.**>
  type out_oms_blob
  log_level info
  num_threads 5
  buffer_chunk_limit 10m
  buffer_type file
  buffer_path /var/opt/microsoft/omsagent/state/out_oms_blob*.buffer
  buffer_queue_limit 10
  buffer_queue_full_action drop_oldest_chunk
  flush_interval 20s
  retry_limit 10
  retry_wait 30s
  max_retry_wait 9m
</match>
Note that for custom logs, the section would be different (for example <match oms.api.**>). The buffer parameters are documented here.
 

Windows

To change the cache size, modify this registry entry
Key: HKLM\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\<Management Group Name>
Value: MaximumQueueSizeKb

Default: 15360
Min Value: 5120
Max Value: 1536000
%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20href%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3Ehere%3C%2FA%3E.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%20id%3D%22toc-hId-1620802808%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20href%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3Ehere%3C%2FA%3E.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId-935573265%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%20id%3D%22toc-hId--931354153%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20href%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3Ehere%3C%2FA%3E.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId--1616583696%22%20id%3D%22toc-hId-811456182%22%20id%3D%22toc-hId-811456182%22%20id%3D%22toc-hId-811456182%22%20id%3D%22toc-hId-811456182%22%20id%3D%22toc-hId-811456182%22%20id%3D%22toc-hId-811456182%22%20id%3D%22toc-hId-811456182%22%20id%3D%22toc-hId-811456182%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20href%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3Ehere%3C%2FA%3E.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId-126226639%22%20id%3D%22toc-hId--1740700779%22%20id%3D%22toc-hId--1740700779%22%20id%3D%22toc-hId--1740700779%22%20id%3D%22toc-hId--1740700779%22%20id%3D%22toc-hId--1740700779%22%20id%3D%22toc-hId--1740700779%22%20id%3D%22toc-hId--1740700779%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20href%3D%22https%3A%2F%2Fdocs.fluentd.org%2Fv%2F0.12%2Fbuffer%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3Ehere%3C%2FA%3E.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId-1153875685%22%20id%3D%22toc-hId-2109556%22%20id%3D%22toc-hId-2109556%22%20id%3D%22toc-hId-2109556%22%20id%3D%22toc-hId-2109556%22%20id%3D%22toc-hId-2109556%22%20id%3D%22toc-hId-2109556%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-here.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId--1398281276%22%20id%3D%22toc-hId-1744919891%22%20id%3D%22toc-hId-1744919891%22%20id%3D%22toc-hId-1744919891%22%20id%3D%22toc-hId-1744919891%22%20id%3D%22toc-hId-1744919891%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-here.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId-344529059%22%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId--807237070%22%20id%3D%22toc-hId--807237070%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId-935573265%22%20id%3D%22toc-hId--464817567%22%20id%3D%22toc-hId-935573265%22%20id%3D%22toc-hId-935573265%22%20id%3D%22toc-hId-935573265%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-here.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId-1430635868%22%20id%3D%22toc-hId-1277992768%22%20id%3D%22toc-hId--1616583696%22%20id%3D%22toc-hId--1616583696%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-here.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--376818595%22%20id%3D%22toc-hId-468646142%22%20id%3D%22toc-hId-126226639%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%3CLINGO-SUB%20id%3D%22lingo-sub-811760%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Agent%3A%20Collecting%20from%20servers%20and%20workstations%2C%20on-prem%20and%20in%20the%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-811760%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20is%20part%20of%20a%20series%20of%20blogs%20on%20connectors.%20You%20might%20find%20what%20you%20are%20looking%20for%20also%20here%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FThe-Syslog-and-CEF-source-configuration-grand-list%2Fba-p%2F803891%22%20target%3D%22_blank%22%3ESyslog%2C%20CEF%2C%20Logstash%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCollecting-Azure-PaaS-services-logs-in-Azure-Sentinel%2Fba-p%2F792669%22%20target%3D%22_blank%22%3ECollecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3E%3CA%20id%3D%22link_10%22%20class%3D%22page-link%20lia-link-navigation%20lia-custom-event%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-creating-custom-connectors%2Fba-p%2F864060%22%20target%3D%22_blank%22%3ECreating%20Custom%20Connectors%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMy%20previous%20blog%20posts%20discussed%20collecting%20events%20from%20%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-Azure%20PaaS%20resources%3CSPAN%3Eand%20%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-networking%20and%20security%20sources.%3CSPAN%3E%20But%20what%20about%20collecting%20from%20servers%3F%20Whether%20deployed%20in%20the%20cloud%2C%20on-prem%20VMs%20or%20even%20physical%20machines%2C%20those%20are%20probably%20still%20the%20biggest%20attack%20surface%20and%20therefore%20the%20most%20common%20sources%20of%20events.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20collect%20events%20from%20servers%20wherever%20those%20are%20deployed%2C%20use%20the%20Azure%20Log%20Analytics%20agent%20(also%20called%20%22MMA%22%20for%20Microsoft%20Monitoring%20Agent).%20The%20%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-agent%3CSPAN%3Esupports%20%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-collecting%20from%20Windows%20machines%3CSPAN%3Eas%20well%20as%20Linux.%20The%20agent%20can%20be%20installed%20manually%20or%20provisioned%20in%20Azure%20using%20Microsoft%20VM%20extensions%20for%20%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-Windows%3CSPAN%3Eor%20%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-Linux.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1300100716%22%20id%3D%22toc-hId--1344140252%22%3E%3CSPAN%3EAzure%20Sentinel%20connectors%20which%20utilize%26nbsp%3Bthe%20agent%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20agent%20supports%20the%20following%20Sentinel%20connectors%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-dns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20DNS%20servers%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-firewall%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Firewall%3C%2FA%3E%3CUL%3E%0A%3CLI%3EThe%20Windows%20firewall%20writes%20logs%20to%20files%20which%20are%20collected%20and%20sent%26nbsp%3B%20by%20the%20agent%20when%20files%20are%20rotated.%20This%20leads%20to%20additional%20collections%20latency%2C%20which%20can%20be%20controlled%20by%20changing%20the%20log%20file%20size%20as%20described%20-ERR%3AREF-NOT-FOUND-here.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Security%20Events%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EOnce%20you%20enabled%20them%20through%20the%20Sentinel's%20Data%20Connectors%2C%20they%20will%20be%20collected%20by%20every%20agent%20configured%20to%20send%20data%20to%20the%20workspace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1187412117%22%20id%3D%22toc-hId-398670083%22%3E%3CSPAN%3EAdditional%20data%20streams%20collected%20by%20the%20Agent%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHowever%2C%20the%20agent%20is%20not%20limited%20to%20this%20telemetry%2C%20and%20Azure%20Sentinel%20can%20collect%20the%20following%20additional%26nbsp%3Bdata%20streams%20using%20the%20agent%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWhen%20installed%20on%20a%20domain%20controller%2C%20the%20agent%20collects%20AD%20events.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20configure%20the%20agents%20to%20send%20any%20Windows%20event%20type%2C%20not%20just%20security%20events%2C%20such%20as%20Sysmon.%20Some%20examples%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fmedium.com%2F%2540olafhartong%2Fusing-sysmon-in-azure-sentinel-883eb6ffc431%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EUsing%20Sysmon%20in%20Azure%20Sentinel%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F07%2F31%2Fadding-mbam-bitlocker-logs-to-azure-sentinel%2Famp%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAdding%20MBAM%2FBitlocker%20Logs%20to%20Azure%20Sentinel%26nbsp%3B%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-IIS%26nbsp%3Blogs%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Wire%20Data%3A%26nbsp%3BsFlow-like%20data%20collected%20by%20the%20agent%20(being%20replaced%20by%20VM%20Insights%20below)%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-VM%20Insights%3A%20network%20connections%2C%20open%20ports%2C%20processes%2C%20and%20general%20computer%20information%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fvminsights-log-search%23map-records%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESchema%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fvminsights-log-search%23sample-map-queries%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESample%20queries%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Files%3A%26nbsp%3BEvents%20stored%20in%20files%20on%20the%20server.%20See%26nbsp%3B-ERR%3AREF-NOT-FOUND-Custom%20logs%20in%20Azure%20Monitor.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1877973591%22%20id%3D%22toc-hId-344529059%22%3EAKS%20and%20Containiners%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20collect%20control%20and%20data%20plane%20telemtry%20from%20containers%2C%20including%20AKS%2C%20see%26nbsp%3B-ERR%3AREF-NOT-FOUND-Azure%20Monitor%20for%20containers%26nbsp%3Band%20how%20to%20-ERR%3AREF-NOT-FOUND-enable%20it.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1867470487%22%20id%3D%22toc-hId--410676543%22%3EAdditional%20on-premises%20Microsoft%20telemetry%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20completeness%2C%26nbsp%3Bn%20addition%20you%20can%20collect%20on-premises%20telemetry%20not%20using%20the%20agent%20for%20the%20following%20sources%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fupdate%2Fupdate-compliance-using%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Defender%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Freview-logs-using-azure-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntune%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Microsoft%20SQL%3A%20Logs%20to%20the%20Windows%20Event%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-60016024%22%20id%3D%22toc-hId-1332133792%22%3EAgent%20deployment%20and%20management%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EMaintenance%3A%3C%2FSTRONG%3E%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-manage%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMaintain%20the%20Log%20Analytics%20agent%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EMonitor%20agents%20health%20using%20the%26nbsp%3B-ERR%3AREF-NOT-FOUND-Azure%20Monitor%26nbsp%3BAgent%20Health%20solution%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows-troubleshoot%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ETroubleshooting%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EDeployment%3A%3C%2FSTRONG%3E%3CUL%3E%0A%3CLI%3EScale%20the%20agent%20using%20a%20-ERR%3AREF-NOT-FOUND-VM%20scale%20set%3C%2FLI%3E%0A%3CLI%3EYou%20can%20send%20telemetry%20from%20an%20agent%20to%26nbsp%3B-ERR%3AREF-NOT-FOUND-multiple%20destination%20workspaces.%3C%2FLI%3E%0A%3CLI%3ENo%20direct%20internet%20access%20for%20the%20agent%3F%20Use%20the%20-ERR%3AREF-NOT-FOUND-Log%20Analytics%20gateway%26nbsp%3BNeed%20to%20scale%20the%20gateway%3F%20Use%20-ERR%3AREF-NOT-FOUND-Azure%20load%20balancer.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EConfiguration%3C%2FSTRONG%3E%3CUL%3E%0A%3CLI%3EYou%20can%20select%20the%20-ERR%3AREF-NOT-FOUND-data%20collection%20tierto%20control%20how%20many%20Windows%20Security%20events%20are%20collected.%3C%2FLI%3E%0A%3CLI%3EFor%20caching%2C%20see%20below.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1747438439%22%20id%3D%22toc-hId--1220023169%22%3EAgent%20general%20data%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EThe%20agent%20-ERR%3AREF-NOT-FOUND-compresses%20data%20when%20sending%20it%20to%20the%20cloud%20to%20reduce%20the%20network%20load.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERead%20about%20-ERR%3AREF-NOT-FOUND-agent%20collection%20latency.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-740074394%22%20id%3D%22toc-hId-522787166%22%3E%3CSPAN%3EAgent%20caching%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EThe%20agent%20caches%20data%2C%20which%20helps%20prevent%20data%20loss%20in%20case%20of%20communication%20issues%20between%20the%20agent%20and%20the%20cloud.%20The%20following%20described%20this%20mechanism%20and%20how%20it%20can%20be%20controlled.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1430635868%22%20id%3D%22toc-hId-468646142%22%3ELinux%3C%2FH3%3E%0A%3CDIV%3EOutput%20is%20controlled%20by%20modifying%20the%20agent%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-configuration%20files.%20Specifically%2C%20the%20output%20configuration%20file%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%2Fetc%2Fopt%2Fmicrosoft%2Fomsagent%2F%3CWORKSPACE%20id%3D%22%22%3E%2Fconf%2Fomsagent.conf%3C%2FWORKSPACE%3E%3C%2FSTRONG%3E%3C%2FEM%3E%26nbsp%3B.%20Modify%20the%20section%20below%20to%20control%20the%20Agent's%26nbsp%3Bcaching%20behavior%3A%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3E%3CMATCH%20oms.blob.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20type%20out_oms_blob%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20log_level%20info%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20num_threads%205%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20buffer_chunk_limit%2010m%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20buffer_type%20file%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20buffer_path%20%2Fvar%2Fopt%2Fmicrosoft%2Fomsagent%2Fstate%2Fout_oms_blob*.buffer%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20buffer_queue_limit%2010%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20buffer_queue_full_action%20drop_oldest_chunk%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20flush_interval%2020s%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20retry_limit%2010%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20retry_wait%2030s%3C%2FSPAN%3E%0A%3CSPAN%3E%20%20max_retry_wait%209m%3C%2FSPAN%3E%0A%3CSPAN%3E%3C%2FSPAN%3E%3C%2FPRE%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%0A%3CDIV%3ENote%20that%20for%20custom%20logs%2C%20the%20section%20would%20be%20different%20(for%20example%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%3CMATCH%20oms.api.%3D%22%22%3E%3C%2FMATCH%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3EThe%20buffer%20parameters%20are%20documented%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-here.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH3%20id%3D%22toc-hId--376818595%22%20id%3D%22toc-hId--2083510819%22%3EWindows%3C%2FH3%3E%0A%3CDIV%3ETo%20change%20the%20cache%20size%2C%20modify%20this%20registry%20entry%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3EKey%3A%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CHealthService%5CParameters%5CManagement%20Groups%5C%3CMANAGEMENT%20group%3D%22%22%20name%3D%22%22%3E%3C%2FMANAGEMENT%3E%3C%2FSPAN%3E%0A%3CSPAN%3EValue%3A%20MaximumQueueSizeKb%0A%3C%2FSPAN%3E%0A%3CSPAN%3EDefault%3A%2015360%0AMin%20Value%3A%205120%3C%2FSPAN%3E%0A%3CSPAN%3EMax%20Value%3A%201536000%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%3CLINGO-TEASER%20id%3D%22lingo-teaser-811760%22%20slang%3D%22en-US%22%3E%3CP%3EWhether%20deployed%20in%20the%20cloud%2C%20on-prem%20VMs%20or%20even%20physical%20machines%2C%20those%20are%20probably%20still%20the%20most%20significant%20attack%20surface%20and%20therefore%20the%20most%20common%20sources%20of%20events.%20In%20this%20post%2C%20you%20will%20learn%26nbsp%3Bhow%20to%20collect%20events%20and%20additional%20telemetry%20from%20them.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-811760%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Aug 03 2020 01:08 AM
Updated by: