![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 18%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hey Muhammad! It looks like you’re having some trouble with your Windows Security Events connector showing as disconnected via AMA, despite being configured correctly. The same issue seems to be happening with your FortiGate Data Connector. Here's a few things you can try to fix the issue:
- Verify Data Collection Rule (DCR):
- Ensure that the Data Collection Rule (DCR) for the AMA is correctly set up and associated with the right resources. The DCR and the workspace should be in the same region.
- You can check the DCR settings in the Azure portal to confirm they haven’t been inadvertently modified.
- Health Monitoring:
- If you haven't already, consider enabling the Microsoft Sentinel health feature for your workspace. This can help you monitor the health of your data connectors, including identifying issues with the AMA.
- Refer to the Microsoft Sentinel health monitoring documentation for detailed steps.
- Check Agent Logs:
- Look into the Azure Monitor Agent logs for any error messages or warnings that may indicate why the connection is showing as disconnected. You may find it useful to follow the troubleshooting guidance for the Azure Monitor agent on Windows VMs here.
- Firewall Configuration:
- Make sure that any firewall rules allow the necessary ports for the AMA to communicate with Azure services. Check the list of network requirements to ensure everything is set correctly.
- Inspect for Data Updates:
- As a rule of thumb, ensure that the connectors are set to receive logs. The connector will show as connected only if it has received any data in the last seven days. If there hasn’t been activity, it might show as disconnected even if configured correctly.
- Reinstalling or Updating the Agent:
- If the above steps don’t work, consider reinstalling the Azure Monitor Agent or updating it to the latest version to eradicate any potential issues from an outdated installation.
If these steps don't resolve the issue, could you provide a bit more information?
- Have there been any recent changes to your environment that might have impacted the configuration?
- Are there any specific error messages appearing in the logs or Azure portal that could give more context?
- Which region is your workspace and DCR located in?
Hope this helps to get things up and running again! Let me know if you need further assistance.
Reference Links:
- Troubleshooting guidance for the Azure Monitor agent on Windows virtual machines and scale sets
- Troubleshooting guidance for the Azure Monitor agent on Windows Arc-enabled server
- How to use the Windows operating system (OS) Azure Monitor Agent Troubleshooter
- Microsoft Sentinel health monitoring documentation
- Network requirements for Azure services