Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,275 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 17%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Hello Shiori Hasegawa,
As per description, you want to understand the use case of windows event logs with Log Analytics Workspace.
Windows event logs are some of the most common sources for health of the client operating system and workloads of Windows machines. You can collect events from standard logs, such as System and Application, and any custom logs created by applications you need to monitor.
Azure Monitor automatically collects host metrics and activity logs from your Azure and Arc-enabled virtual machines and you need to create data collection rules (DCRs) that specify what you want to collect and where to send it.
Azure Monitor only collects events from Windows event logs that are specified in the settings. You can add an event log by entering the name of the log and selecting +. For each log, only the events with the selected severities are collected.
Refer the below document to configure windows event data
Suggest you refer the below document on configuring DCRs
https://learn.microsoft.com/en-us/azure/azure-monitor/data-collection/data-collection-rule-overview
Azure monitor that handles data collection and analysis with the help of DCR (Data Collection Rules - which event logs need to collect) to the destination Log Analytics workspace.
You need to install AMA (Azure Monitoring Agent) on your device and need to configure Data Collection Rules.
Please let me know if you have any further queries.