Is it possible to query DFS Replication Event log via KQL?

Question

Is it possible to query DFS Replication Event log via KQL?

Matt Pollock 256

I am new to Azure Monitor and Log Analytics Workspace, and the world of KQL

I'm trying access the DFS Replication event log on my on prem domain controllers, via a KQL query, with a view to setting up a dashboard item in Azure.

All of the DCs have been added to Azure via Azure Arc, and subsequently connected to Azure Monitor

I can successfully connect to the DC's event logs (System, Application, Security) via a KQL query in LAW

In order to connect to the DFS Replication log, I have added a legacy management extension to the LAW and associated it with the DC resources.

I cannot seem to access the event log via a KQL query however.

If I enter the following query, no results are returned

Event 
| where EventLog has "DFS Replication"

Can anybody advise on how to troubleshoot this please?

AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-02-15T06:15:12.5466667+00:00

@Matt Pollock , I wanted to check if you had a chance to review my answer above. Please let me know if you have any questions.

Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics.

Accepted answer

1 additional answer

Your answer

AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-02-15T06:15:12.5466667+00:00

@Matt Pollock , I wanted to check if you had a chance to review my answer above. Please let me know if you have any questions.

Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics.

Answer 1

AnuragSingh-MSFT 21,546 Moderator

@Matt Pollock thank you for this query and apologies for the delayed response.

Please find below some information which should help you regarding this issue.

Log Analytics workspace is used to store the monitoring logs/data collected from agent. Therefore, when you are using KQL queries, you are essentially querying already collected data in the workspace. It does not connect to the agent or VM itself for queries.
There are mainly 2 ways (2 agents) to collect monitoring data from Arc connected VMs, a. the legacy Log Analytics Agent (which is also known as Microsoft Monitoring Agent). b. The currently recommended Azure Monitor Agent
Note that a number of Monitoring solutions for Log Analytics workspace as available here only work with the legacy agent.

With this information at hand, I would like to understand the following about this issue:

Can you please explain- "I have added a legacy management extension to the LAW.."? If you could provide a link to the referred doc, that should help me understand it better. I assume that it is one of the legacy Solutions which was available with Log Analytics workspace and is no longer available or does not work with the agent that you used to connect your Arc machines to Azure Monitor.
How are you collecting Application, System and security logs? If you are using the newer Azure Monitor Agent, I assume that you have created data collection rules. You could create a similar rule for collecting events from DFS Replication event logs (if they are available in EventViewer of the target machine). --> this is the recommended method
If you have used one of the older solutions which collected DFS replication events using legacy LA agent, and the events are getting collected, the query might need modification. The data collected in LAW is saved as table. In the query, "Event" is one such table which has multiple columns and EventLog would correspond to one such column which contains the name of the event log from which this data was collected. I would suggest looking at the name of the event log in the VM itself, to verify that the name is correct. You could also try changing the Time range for the query as by default it is collected only for last 24 hours and ensure that new logs were added to this event after the monitoring was enabled:

Hope this helps, In case you are still facing issues querying the data, I please share details as requested in the reply (Agent used, solution/extension enabled etc.) and that will help us assist you accordingly.

Please click Accept answer and Yes if the reply helped so that it can help others in the community looking for answer to similar questions.

Matt Pollock 256 Reputation points

2023-02-17T06:14:26.8533333+00:00

Hello,

Thanks for the reply.

The agents I have installed are as follows:

Since posting this question I have found that there is a legacy solution available for monitoring AD Replication - which is the DFSR replication data I am interested in primarily.

I have implemented this - using the following link:

https://learn.microsoft.com/en-us/azure/azure-monitor/insights/ad-replication-status

This is addition to the legacy extension I set up in the Log Analytics Workspace, that uses the "DFS Replication" log in Event Viewer.

So I now have two data sources setup as far as I can tell:

From this point I am lost, as I don't know how to view the resulting data that is being collected?
Thanks
AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-02-17T06:46:03.19+00:00
Matt Pollock, thank you for the reply. I see that there are 2 extensions available on the VM:

AzureMonitorWindowsAgent - which is installed for new Azure Monitor Agent

MSMonitoringAgent - which is the legacy Microsoft Monitoring Agent or Log Analytics Agent. <--This wil retire by August 31, 2024.

Ideally, you need only one of them. See the later section of this answer for migrating to newer agent from MMA

Regarding the legacy solution for monitoring AD Replication, it uses the second agent which will retire next year; hence it is not recommended to be used.

The second option that you have used (selecting the event collection as shown below) is the only thing required to collect the events from the VMs sending data to this workspace using MMA. You don't need "AD replication" solution if you are only interested in this event log. This uses the legacy agent (MMA)

Since event is not getting collected (based on the installed log analytics agent) using the solution or event log specified, you could check the following:

Application, System, HealthService EventLogs on the machines to see if there are failures that could help diagnose the issue.

In log analytics workspace, check the "Heartbeat" table to see if the agent on the machine is sending data to LA Worksapce. This data is sent every 1 minute and if you are not seeing the Heartbeat from the machine in the recent past, the machine is not sending any data to the workspace.

You could also try flushing the health state cache on the VM where the MMA is installed, by following the step below:

a. Stops the Microsoft Monitoring Agent service.
b. rename the "Health Service State" folder by appending .old to its name. It is available in C:\Program Files\Microsoft Monitoring Agent\Agent
c. Start the Microsoft Monitoring Agent service. The step above resets the MMA on the machine and it would connect to the LA workspace (as configured) to get latest configuration to be followed (collect additional events etc.)

Note that the steps above are related to legacy agent - MMA.

If you are only interested in collecting the "DFS Replication" events from the VMs, you can use the new agent - AMA (AzureMonitorWindowsAgent) and create a DCR based on the steps mentioned here - https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal

I would recommend moving the monitoring to the new AMA agent and removing the old MMA agent from the machine. You can plan the same using this link - https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration

Hope this helps. If you are still facing the issue and the events are not getting collected, I would advise reaching out to Azure Support using the following link so that it can be investigated in detail - https://azure.microsoft.com/en-us/support

Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics.
AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-02-20T06:39:23.8733333+00:00

Matt Pollock, I wanted to check if you had a chance to review my answer above. Please let me know if you have any questions.

Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics.
Matt Pollock 256 Reputation points

2023-02-20T14:09:26.1533333+00:00

Thanks for the reply.
As expected I thought part of the advice would be to move away from the MMA agent - which I have now uninstalled from all servers in Arc.

Are there extra steps that need to be taken to get the machines to associate with the AMA agent?

Looking at the LA workspace I'm using, only 2 of the 12 machines are using the AMA agent, 9 are still using the MMA agent, and one server is not listed!
AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-02-21T04:45:25.1+00:00

Matt Pollock, thank you for the reply. AMA agent is installed as an extension (for Azure VM as well as Arc connected machine). You can associate these VMs with a Data Collection rule and it will install the AMA agent extension (if not already available) to collect the data as defined in the data collection rule.
Please see this link for details of creating data collection rule and associating them with the VM - Collect events and performance counters from virtual machines with Azure Monitor Agent

The link above is to collect perf counters and event logs. If you want to collect additional type of data (custom logs, IIS logs etc.), please see the relevant section in the navigation menu on the left side of this page:

For migrating other VMs from legacy MMA agent to AMA, please see the following link which contains guidelines for it - Migrate to Azure Monitor Agent from Log Analytics agent.

Please feel free to post a new question if you face any issues related to migration or installation of AMA.

Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics.
AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-02-23T04:28:23.5733333+00:00

Matt Pollock, I wanted to check if you had a chance to review my answer above. Please let me know if you have any questions.

Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics.
Matt Pollock 256 Reputation points

2023-02-28T08:38:02.62+00:00
OK, thank you @AnuragSingh-MSFT

I guess my questions now should be more specific:

Is this XPath sytax query correct for querying events in the DFS Replication event log over the last 30 days?

2: How do I view the data in the Log Analaytic workspace once collected?
AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-02-28T09:05:14.4033333+00:00
Matt Pollock, thank you for the reply.

Please note that the events are collected as they care created, from the time the agent is installed. If the machine is offline for some time, the timestamp is recorded by the agent and the collection resumes for events created after that recorded timestamp. Therefore, it does not collect the events which were created in the past at the moment. Also, the xpath query in the screenshot should be modified by a. No doublequotes (") are required to mention the log names. Even if there are blank spaces in the name. b. The brackets do not seem balanced. The overall query should be similar to ........!*[System[(Level=3 or Level=2 or Level=1) and TimeCreated[timediff(@SystemTime) <= 86400000]]] Note that, the TimeCreated filter only ensures that the event being collected was created in the last 30 days. However, if those events were created before the DCR rule creation/AMA agent installation, they wont be collected.

Once the event has been collected, it will be available in the Event table in the Log Analytics Workspace.

Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics. Please feel free to post a new question if you have any further queries related to event collection using AMA. This would help keep the thread concise and scoped to a single issue.

Answer 2

Matt Pollock 256

Thank you @AnuragSingh-MSFT

Share via

Is it possible to query DFS Replication Event log via KQL?

1 additional answer

Your answer