send windows OS logs to Event Hub

Jezo, Libor 30 Reputation points
2023-03-02T21:33:04.24+00:00

I would like to see more details than the information on this page: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-stream-event-hubs

Everyone refers to this page but to really follow the direction from the link you will end up with many questions that are not asnwered anywhere I could find.

  1. json files are well described but the missing information is: where do I upload those json files? where do they reside? what should I do with the json files? Please spell it out so it is clear.
  2. what do I need to do inside the virtual machine to send the event logs to the Event Hub?
  3. it would help to see, step by step how to configure it and verify that the Event Hub receives the operating level logs from virtual machines. There are steps that I followed how to enable the "diagnostics for a VM" but that in itself did not work. A video would be helpful too.
  4. My goal is to send the existing virtual machine's logs, Windows server logs, to Splunk. I was able to configure the Event Hub Namespace and one hub. I even see the portal level logs in the Splunk but the operation system logs, windows logs I dont see even though I enabled the 'diagnostics' on a virtual machine. thank you for your help
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,242 questions
Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
564 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,238 questions
0 comments No comments
{count} vote

Accepted answer
  1. Limitless Technology 43,981 Reputation points
    2023-03-03T14:47:53.8266667+00:00

    Hello there,

    The path for your Windows Terminal settings.json file may be found in one of the following directories:

    Terminal (stable / general release): %LOCALAPPDATA%\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json

    Terminal (preview release): %LOCALAPPDATA%\Packages\Microsoft.WindowsTerminalPreview_8wekyb3d8bbwe\LocalState\settings.json

    Terminal (unpackaged: Scoop, Chocolately, etc): %LOCALAPPDATA%\Microsoft\Windows Terminal\settings.json

    The easiest way to accomplish what you're trying is to install the Azure Diagnostics Extension on the VM and configure it to output log data to an Event Hub sink.

    Azure diagnostic logs can be streamed in near real-time to any application using the built-in “Export to Event Hubs” option in the Portal, or by enabling the Event Hub Authorization Rule ID in a diagnostic setting via the Azure PowerShell Cmdlets or Azure CLI.

    After data is displayed in the event hub, you can access and read the data in two ways:

    Configure a supported SIEM tool. To read data from the event hub, most tools require the event hub connection string and certain permissions to your Azure subscription.

    This article provides a brief description of how to stream data and then lists some of the partners with whom you can send it. Some partners have special integration with Azure Monitor and might be hosted on Azure. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-stream-event-hubs

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–


0 additional answers

Sort by: Most helpful