How to collect "Microsoft-Windows-WindowsUpdateClient/Operational" logs with Azure Monitor Agent?

Landry, Brent 0 Reputation points
2023-02-28T18:58:39.0366667+00:00

I'm looking to create an Azure Alert based on Windows Update events that are logged via Event Viewer in the log "Microsoft-Windows-WindowsUpdateClient/Operational", on physical Windows 10 workstations that are running Azure Monitor Agent.

The log "Microsoft-Windows-WindowsUpdateClient/Operational" isn't a default option in a Data Collection Rule and I don't see how to determine the xpath filter to this log. Is this possible?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,783 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,560 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tech-Hyd-1989 5,741 Reputation points
    2023-03-01T10:52:40.79+00:00

    Hello Landry, Brent,

    Good day!

    It is possible to create an Azure Alert based on Windows Update events that are logged via Event Viewer in the log "Microsoft-Windows-WindowsUpdateClient/Operational".
    You can create a custom data collection rule to collect events from this log.

    To create a custom data collection rule, you need to specify the XPath query for the events you want to collect. You can use the PowerShell cmdlet Get-WinEvent with the -FilterXPath parameter to test the validity of an XPath query.
    Here is an example script:

    $XPath = '*[System[EventID=1035]]'
Get-WinEvent -LogName 'Microsoft-Windows-WindowsUpdateClient/Operational' -FilterXPath $XPath

    If events are returned, the query is valid. If you receive the message "No events were found that match the specified selection criteria," the query may be valid, but there are no matching events on the local machine. If you receive the message "The specified query is invalid," the query syntax is invalid.
    You can find more information on how to create a custom data collection rule in the Azure Monitor documentation.
    https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal
    https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
    Also look at Windows agent-based connections

    -----If my response does answer your queries, please accept as the answer as a token of appreciation.----------

    0 comments
  2. AnuragSingh-MSFT 19,686 Reputation points
    2023-03-02T06:27:30.17+00:00

    @Landry, Brent Thank you for posting this question.

    In addition to the information shared above by Subrotho, not the following important steps/consideration for creating the Data Collection Rule.

    1. As you are trying to collect events from "physical Windows 10 workstations", please ensure that the OS is supported by AMA and type of installation may vary. Please see the following link for details - Supported operating systems for Azure Monitoring Agent
    2. The final XPath query created would look something like below (note that no quotes have been used) Microsoft-Windows-WindowsUpdateClient/Operational!*[System[EventID=1035]] You may also refer this Q&A post for discussion on Creating Data Collection rule
    3. Finally, as you want to create an alert based on the events collected, you will have to create an alert rule to monitor specific events at fixed internal. The following link contains information about creating log based alert rule - Create log based alert rule

    Hope this helps. Please let us know if you have any questions.

    Please click Accept answer and Yes if the answer helped so that it can help others in the community looking for help on similar topics.

    0 comments