Does the Azure monitor agent collect logs with default settings?

Oleksandr Romaniuk 465

Hello!
I have the scope of Azure Arc-enabled servers (on-premise, not Azure VM). There are Azure monitor agents (AMA) installed, so I think that when AMA was deployed, then logs started to be sent to our workspace. I see on the Data collection rules tab (Data sources) - Windows Event Logs, but when I create a query to this workspace, there are no logs. I didn't configure it, it was all configured by default.

So, do I need to configure something else to have logs from these Arc-enabled servers?
How then to connect this to the SIEM Sentinel (to create alerts)?

Silvia Wibowo 3,166 Reputation points Microsoft Employee

2024-03-14T19:25:31.6733333+00:00

Hi @Oleksandr Romaniuk , please clarify: Data source of your Data collection rules - Windows Event Logs - is the configuration "None", "Basic", or "Custom"?
Oleksandr Romaniuk 465 Reputation points

2024-03-14T21:36:24.8633333+00:00

Hi @Silvia Wibowo I have the "Basic" option there.
Silvia Wibowo 3,166 Reputation points Microsoft Employee

2024-03-14T22:23:41.8333333+00:00

Hi @Oleksandr Romaniuk , you mentioned " when I create a query to this workspace, there are no logs". Where did you run the query from, and what is the query you are using? A screenshot will be good, otherwise please check the scope of the query (top left) whether it matches with the workspace name set in DCR (Data Collection Rules).
Oleksandr Romaniuk 465 Reputation points

2024-03-15T10:13:17+00:00

Hi @Silvia Wibowo I ran the query in the correct workspace (where DCR was configured). Can you provide a few simple queries that must work with "Windows Event Logs" + "Basic"?
Silvia Wibowo 3,166 Reputation points Microsoft Employee

2024-03-18T01:14:51.32+00:00

Hi @Oleksandr Romaniuk , use:

WindowsEvent | take 100
Oleksandr Romaniuk 465 Reputation points

2024-03-18T07:58:41.9633333+00:00

Hi @Silvia Wibowo I tried a similar query previously, it worked but without logs.

I ran this query on the Logs tab in the needed Log Analytics workspace:
Silvia Wibowo 3,166 Reputation points Microsoft Employee

2024-03-20T03:46:37.8233333+00:00

Hi @Oleksandr Romaniuk , is Sentinel enabled?

If you query "Event" table, did you get any output?

Please review 3 different ways to collect Windows Event Logs: Windows Events, how to collect them in Sentinel and which way is preferred to detect Incidents
Oleksandr Romaniuk 465 Reputation points

2024-03-20T08:16:51.3766667+00:00

Hello @Silvia Wibowo , yes, Sentinel enabled.

I tried it previously too, without results:
Silvia Wibowo 3,166 Reputation points Microsoft Employee

2024-03-21T03:13:57.2133333+00:00

Hi @Oleksandr Romaniuk , if Sentinel is enabled, you need to configure DCR (Data Collection Rules) to ingest Security events into Sentinel: Connect using the Windows Security Events via AMA Connector

1 answer

Will 420 Reputation points

2024-03-14T22:28:39.0966667+00:00
Assuming that you have no networking issues here, agent must be able to connect to:

global.handler.control.monitor.azure.com

<virtual-machine-region-name>.handler.control.monitor.azure.com (example: westus.handler.control.azure.com)

<log-analytics-workspace-id>.ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opinsights.azure.com)

Nope, installation of an Azure Monitoring agent on an endpoint doesn't do anything by default. Microsoft loves this extra config crap. IMO ideally, you would just install, have a GUI to lead you through config on where to point the tenant and set ups these pieces for you but you'll need to:

Create a monitored object (MO) in Azure

Then associate the data collection rules (DCR) to the object

Then there's all sorts of exceptions....

No standalone boxes

No laptops (or not ideal)
Please sign in to rate this answer.
Oleksandr Romaniuk 465 Reputation points

2024-03-15T10:24:52.7533333+00:00

Do you write about it? (LINK)
If yes, the article above says that this approach does not work with servers.

I asked about Arc-enabled servers. So, on the DCR tab, I have Arc-enabled servers like "Resources" and "Windows Event Logs" like "Data sources". I didn't configure it, it was all configured by default.
Sign in to comment

Share via

Does the Azure monitor agent collect logs with default settings?

1 answer