Issues retrieving Event Logs using Azure Log Analytics

Question

We have created a Log Analytics workspace and followed the instruction detailed in the following article: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events

We now have a number of data sources connected (Virtual machines), and the agent is showing as successfully working on the VM itself. When looking at tables within the 'Logs' area of the workspace, I am expecting there to be a table called 'Event' under the 'LogManagement' heading. There is no table called 'Event' therefore I assume I am not collecting any System/Event Logs.

Has anybody experienced this issue before ?

Answer 1

Stan,
Thanks for getting back to me - I may have an idea why this isn't working.

We have a local domain controller and I believe that the client machine cannot resolve the address for the Log analytics service. We created a standalone machine (not connected to domain) and events were recorded without issue. I think that in order to fix this issue we need to create a Conditional forwarder to Azure within DNS and ensure that the traffic can pass through our NSG.

If this resolves the issue I will update this for anyone with a similar issue in the future.

Answer 2

Hi,
Please execute some query like

Event  

to see if there is data. Could be that by the time you have checked that view the table was not available. Also keep in mind that events are send when they are generated, if no events are generated, they will also not be sent to Log Analytics and thus Event table not visible yet. Also make sure that you are scope to the Log Analytics workspace resource.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.