Share via

Arc Private Link Scope and AMPLS

Patrick M. Williams 1 Reputation point
2022-06-21T13:56:01.153+00:00

Has anyone had any luck getting logs sent over AMPLS to Sentinel with the Security Events via AMA connector? I have tested and validated DNS entries on my Arc servers, but I despite the DCR being up and AMPLS being fully configured I am still not receiving logs on Sentinel.

Does the Security Events via AMA connector support AMPLS?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,306 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
434 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
513 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,151 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 21,386 Reputation points
    2022-06-24T08:50:34.177+00:00

    Hi @Patrick M. Williams ,

    Thank you for reaching out to Microsoft Q&A for this question.

    As mentioned in the link below, the Azure Monitor Agent supports AMPLs using Data Collection endpoints - Azure Monitor Private Links requirement

    Also, the Log Analytics workspace forms the data store for monitoring data collected through AMA OR Log Analytics agent for Microsoft Sentinel. Therefore, please check that the data is getting ingested to Log Analytics workspace from the specified Arc-enabled machine. You can use the query below to get the latest data in there: 

    union *   
| order by TimeGenerated  desc

    Note that the output would contain column Type which would show the type of data being ingested. Furthermore, I am including high level steps/suggestions below that should help troubleshoot this issue:

    1. Ensure that the steps here were followed and the machine is onboarded to Azure Arc - Planning your Private Link setup

    2. Configure Azure Monitor Private Link and ensure the log analytics workspace is connected to this AMPLS.

    3. Review and validate your Private Link setup

    4. Finally, the Azure Monitor Agent uses Data Collection endpoint for secure communication with Log Analytics Workspace. Ensure that is created and used when creating the Data Collection rule, as mentioned here - Private link configuration using data collection endpoints

    ---
    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    0 comments
  2. Patrick Williams 1 Reputation point
    2022-06-24T13:44:00.093+00:00

    My issue lied with the fact that DCE's create another DNS entry in your Private DNS that needs to be added to your on prem DNS server. IMO this article(https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal#private-link-configuration-using-data-collection-endpoints) should mention that. I believe I found the DNS information in a general article about DCEs.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.