How to import/ingest a custom windows eventlog with AMA agent.

Question

How to import/ingest a custom windows eventlog with AMA agent.

Jeroen van der Broek 25

Hello,

I want to add a non default windows eventlog to get ingested in log analytic workspace trough the AMA agent. WIth the old MMA agent this was easy. But now i can not get it to work.

The event log is located under:

Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin

I made a data collection rule and tried under data source several Xpaths. Like for example:

Microsoft-AzureADPasswordProtection-DCAgent/Admin!*[System[(EventID=10014) )]]

Hope someone has any idea what i am missing here. Google does not show much and chatGPT only knows the MMA agent :P

Accepted answer

0 additional answers

Your answer

Answer 1

AnuragSingh-MSFT 21,546 Moderator

@Jeroen van der Broek , thank you for the question.

The steps that you are using are correct, however the following are some key areas where you should reverify that everything is setup properly:

From the machine where you are collecting events, ensure that it is sending regular heartbeat to the target LA workspace (to ensure that there are no connectivity or other configuration issues). You can check this from the heartbeat table in the LA Workspace. Sample queries are available here - Sample Queries
Ensure that the DCR is configured properly with Data Collection Endpoint in place for the machine, as shown in the doc here
In your screenshot, I see that you have used filter operator as >=. When specifying range in local event viewer, the Path set contains the > character instead of ">" in XML format. However, this needs to be changed to ">" symbol for it to work.

As available in the same doc, you can check the query using the Get-WinEvent PowerShell cmdlet to make sure that the query used is correct. See the output below:

User's image

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

Jeroen van der Broek 25 Reputation points

2023-06-22T09:47:49.7933333+00:00

Thank you for your awnser. I have a question though. In your example you use '*[system etc.

But then you check the filter on the application log. In my case the DCR is for a non standard (so not system, security or application) event log. But a log under application and services then Microsoft then AzureADPasswordProtection then DCAgent and there is the eventlog called Admin

I checked the hearthbeat. The server is reporting the normal logs (from security etc.) so that is not a problem. I did not have a endpoint so i made one.

Also did i change the syntax from gt

So now i have first the eventlog and then the xpath filter. I added it like this but i do not see events (yet). Your thoughts?

Microsoft-AzureADPasswordProtection-DCAgent/Admin!*[System[(EventID = 10014 or EventID = 10015 or EventID = 30002 or EventID = 30003 or EventID = 30004 or EventID = 30005 or EventID = 30007 or EventID = 30008 or EventID = 30009 or EventID = 30010 or EventID = 30021 or EventID = 30022 or EventID = 30023 or EventID = 30024 or EventID = 30026 or EventID = 30027 or EventID = 30028 or EventID = 30029)]]

and i tried

*[System[(EventID = 10014 or EventID = 10015 or EventID = 30002 or EventID = 30003 or EventID = 30004 or EventID = 30005 or EventID = 30007 or EventID = 30008 or EventID = 30009 or EventID = 30010 or EventID = 30021 or EventID = 30022 or EventID = 30023 or EventID = 30024 or EventID = 30026 or EventID = 30027 or EventID = 30028 or EventID = 30029)]]

I ofcourse checked it like you showed me with get-winevent.
Jeroen van der Broek 25 Reputation points

2023-06-22T11:55:42.9966667+00:00

I have to correct myself i got it working. Did not need the endpoint btw.

Share via

How to import/ingest a custom windows eventlog with AMA agent.

0 additional answers

Your answer