Hello @manish aggarwal
Thanks for using Q and A forum.
To troubleshoot the issue of Azure Windows VM login-related logs not being ingested into Microsoft Sentinel, follow these systematic steps:
Step 1: Verify Log Analytics Workspace Configuration
Ensure that your Azure Windows VM is connected to the correct Log Analytics Workspace.
- Navigate to the Azure portal.
- Go to your VM's settings and check the "Monitoring" section.
- Confirm that the VM is linked to the intended Log Analytics Workspace.
Step 2: Check Diagnostic Settings
Make sure that the diagnostic settings for your Azure VM are configured to send the necessary logs to Microsoft Sentinel.
- In the Azure portal, go to your VM.
- Under "Monitoring," select "Diagnostic settings."
- Ensure that the "Audit logs" and "Sign-in logs" are enabled and configured to send to your Log Analytics Workspace.
Step 3: Validate Log Collection Configuration
Confirm that the appropriate log collection is set up in your Log Analytics Workspace.
- Go to your Log Analytics Workspace.
- Under "Settings," select "Data" and then "Windows Event Logs."
- Ensure that the relevant event logs (e.g., Security logs for login events) are selected for collection.
Step 4: Review Permissions
Check if the necessary permissions are granted for the Log Analytics agent to collect logs from the VM.
- Ensure that the Log Analytics agent is installed and running on the VM.
- Verify that the agent has the required permissions to access the logs.
Step 5: Monitor Log Ingestion
Use the Log Analytics query to check if the logs are being ingested.
- Go to your Log Analytics Workspace.
- Use the following query to check for login events:
SecurityEvent |
- If no results are returned, it indicates that logs are not being ingested.
If this answers your query, do click Accept Answer
and Up-Vote for the same.