Share via

Log Analytics with Windows events - hosts with identical names

Mariusz 31 Reputation points
2022-05-25T15:55:46.137+00:00

Hello,

I'm looking to implement Log Analytics workspace to collect Windows event logs as well as to use Automation with Change Tracking for on-prem servers. The environment we have is a series of small remote sites where all servers have identical hostname and are member of the same .local domain. There is no connectivity between remote sites so it's not an issue, but when I configure agent to send logs to the workspace, I'm unable to tell which site is it coming from. Is there any way to address this issue?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,645 questions
Accepted answer
  1. Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator
    2022-05-26T11:08:35.58+00:00

    I would suggest to onbaord your on-permises servers via ARC for servers. That way these will servers will be visible in Azure as ARC machines. With that _ResourceId column will be filled for the data in Event table and each machine will have different _ResourceId value no matter that the computer names are the same. This will not require doing join with Heartbeat every time you want to investigate the data.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 6,291 Reputation points MVP Volunteer Moderator
    2022-05-26T03:34:54.46+00:00

    Hi @Mariusz
    Have you used kql to query the logs in your workspace?
    There should be some unique fields describing the workstations in question.
    If not, I’d suggest installing the Azure Monitor agents directly on those servers (if you haven’t already).
    This should provide additional fields that will help with the uniqueness.

    Another option is to set up 2 or more log analytic workspaces, one for each unique network segment.
    You can use kql to create ‘union’ queries for 2 or more workspaces and that will help you differentiate the overlapping subnets.

  2. Rene Weber 1 Reputation point
    2022-05-26T11:49:06.703+00:00

    I tried to merge the data from the Event and Heartbeat table, without success because we could only join on the Computer row.

    You could try a workaround with computer groups.

    First create a query which output includes the computer from site A, like this one.

    Heartbeat
    | where ComputerIP contains "public ip"
    | distinct Computer, ComputerIP

    After this you need to save the query as function, then select the computer group checkbox.

    Now you can query the events just from the computers in this group.

    Events
    | where Computer in (ComputerGroup)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.