May 31 2019 08:48 PM - last edited on Nov 29 2021 09:06 AM by Allen
Hello - I am hoping this is possible and a viable option.
I currently use Windows Event Forwarding (WEF) with Winlogbeat sending events off to Elasticsearch. Epic, this works great, why would i change this right?
Is it possible to simply stick the OMS agent on my WEC/WEF server and send events into my Logs Analytics workspace?
If not, what is the best practice (and MS Solution) for Windows Event Management and Analysis?
Jun 03 2019 01:05 PM
Jun 16 2019 02:13 PM
Solution
WEF support is currently in preview and still has some limitations. Contact me directly if you would like to join, and we can discuss whether the current support would work for you.
As an alternative, you can continue to use CEF and winlogbeat and connect it to Sentinel using Logstash and the Logstash Log Analytics output plugin.
~ Ofer
Jul 23 2019 03:45 AM
Hey Andrew
Did you get a response from Microsoft on this - I'm looking at similar scenario and I'd like to get access to the WEF connector also
I did reach out to @Ofer_Shezaf but I'm yet to hear back
Thanks
Danny
Jul 23 2019 04:35 AM
Jul 23 2019 04:37 AM
Mar 24 2020 08:59 AM
@Ofer_Shezaf is this WEF preview still available/accessible? I'm looking at forwarding our current WEF setup to Azure Sentinel for easier analysis and came across this post when trying to configure the setup.
Mar 25 2020 05:37 AM
Yes @SimonR . I will send you a personal message to discuss.
Apr 29 2020 08:20 AM
@Ofer_Shezaf Hi, is there any update on this WEF integration?
Jun 08 2020 05:51 AM
Jun 10 2020 11:03 AM
@Bjørn André Kaland : if you want to look into the private preview, send me an e-mail to ofer dot shezaf at microsoft dot com
Jul 16 2020 11:05 AM
Also interested in the private preview for WEF collection. @Ofer_Shezaf
Jul 19 2020 08:03 AM
@otuser810: we now have a more structured process in place. Please join our private preview program at https://aka.ms/SecurityPrP
Nov 27 2020 09:42 AM
@Ofer_Shezaf also interested, any updates ? Johannes
Dec 18 2020 08:04 AM
Hi @Ofer_Shezaf what is a current status of it?
Dec 20 2020 01:52 PM
@AdamPRD : We have decided to move a head with the Azure Monitor Agent (AMA) version, and the current Log Analytics Agent (MMA) version will not become public.
Feb 01 2021 03:06 AM - edited Feb 01 2021 03:07 AM
@Ofer_Shezaf the AMA is supposed to replace your 3 current agents, right? Reading security events is also a functionality of the new product. Can we expect the desired functionality: Forwarding events to LAW/Sentinel that are stored under 'ForwardedEvents' with the AMA?
Feb 01 2021 03:37 AM
Jun 01 2021 04:46 AM
Jun 16 2019 02:13 PM
Solution
WEF support is currently in preview and still has some limitations. Contact me directly if you would like to join, and we can discuss whether the current support would work for you.
As an alternative, you can continue to use CEF and winlogbeat and connect it to Sentinel using Logstash and the Logstash Log Analytics output plugin.
~ Ofer