Azure Windows VM login related logs not getting ingested in MS SENTINEL logs

Manish Aggarwal 0 Reputation points
2024-10-12T13:22:13.5766667+00:00

azure-sentinel-log-unavailable-for-windows-VM-1.jpgAzure Windows VM login related logs not getting ingested in MS SENTINEL logs.

I have created a VM (windows 10) and trying to do successful and failed login attemps, but I am unable to see the related logs in MS SENTINEL. I do see extentions as attached. Also I have enabled few things in the VM, so that it can start to send the audit logs, but I can do a screenshare to see what else is missing to be configured.

Regards,

Manish

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
{count} votes

3 answers

Sort by: Most helpful
  1. SUNOJ KUMAR YELURU 14,466 Reputation points MVP
    2024-10-12T16:19:28.0366667+00:00

    Hello @manish aggarwal

    Thanks for using Q and A forum.

    To troubleshoot the issue of Azure Windows VM login-related logs not being ingested into Microsoft Sentinel, follow these systematic steps:

    Step 1: Verify Log Analytics Workspace Configuration

    Ensure that your Azure Windows VM is connected to the correct Log Analytics Workspace.

    • Navigate to the Azure portal.
    • Go to your VM's settings and check the "Monitoring" section.
    • Confirm that the VM is linked to the intended Log Analytics Workspace.

    Step 2: Check Diagnostic Settings

    Make sure that the diagnostic settings for your Azure VM are configured to send the necessary logs to Microsoft Sentinel.

    • In the Azure portal, go to your VM.
    • Under "Monitoring," select "Diagnostic settings."
    • Ensure that the "Audit logs" and "Sign-in logs" are enabled and configured to send to your Log Analytics Workspace.

    Step 3: Validate Log Collection Configuration

    Confirm that the appropriate log collection is set up in your Log Analytics Workspace.

    • Go to your Log Analytics Workspace.
    • Under "Settings," select "Data" and then "Windows Event Logs."
    • Ensure that the relevant event logs (e.g., Security logs for login events) are selected for collection.

    Step 4: Review Permissions

    Check if the necessary permissions are granted for the Log Analytics agent to collect logs from the VM.

    • Ensure that the Log Analytics agent is installed and running on the VM.
    • Verify that the agent has the required permissions to access the logs.

    Step 5: Monitor Log Ingestion

    Use the Log Analytics query to check if the logs are being ingested.

    • Go to your Log Analytics Workspace.
    • Use the following query to check for login events:
        SecurityEvent | 
      
    • If no results are returned, it indicates that logs are not being ingested.

    If this answers your query, do click Accept Answer and Up-Vote for the same.


  2. Manish Aggarwal 0 Reputation points
    2024-10-15T15:22:21.81+00:00

    Hey I was able to resolve the issue using below steps.

    -- VM is not connected to the "Log Analytics"

    -- The monitoring agent was not active in the windows VM.

    -- Then in the Content Hub -- Data Connectors -- added "Windows Security Events", and then selected 2 for install "Security Events Via Legacy Agent" and "Windows security events via AMA".

    -- Now, disconnect and once again do a login with 2 (for example) wrong password and then with correct password, and wait for a few minutes.

    -- Seems like it shows now as wrong attempt from below screenshot (error code == 4625 "failed logon attempt")

    -- Go to Windows Sentinel -- Logs and run below:

    Heartbeat

    -- and

    SecurityEvent

    | where EventID == 4625

    -- Now you will see the failed login attempts in your specified time (in the filter).

    0 comments No comments

  3. Raja Pothuraju 7,750 Reputation points Microsoft Vendor
    2024-10-29T07:24:52.8466667+00:00

    Hello @Manish Aggarwal,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Azure Windows VM login related logs not getting ingested in MS SENTINEL logs

    Solution: Resolved by @Manish Aggarwal, following below steps:

    -- VM is not connected to the "Log Analytics" -- The monitoring agent was not active in the windows VM. -- Then in the Content Hub -- Data Connectors -- added "Windows Security Events", and then selected 2 for install "Security Events Via Legacy Agent" and "Windows security events via AMA". -- Now, disconnect and once again do a login with 2 (for example) wrong password and then with correct password, and wait for a few minutes. -- Seems like it shows now as wrong attempt from below screenshot (error code == 4625 "failed logon attempt") -- Go to Windows Sentinel -- Logs and run below: Heartbeat -- and SecurityEvent | where EventID == 4625 -- Now you will see the failed login attempts in your specified time (in the filter).

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,
    Raja Pothuraju.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.