none
Azure log analytics workspace and DC security logs RRS feed

  • Question

  • Hello Experts, 

    I am looking to integrate the DC security logs to OMS / log analytics .  The log analytics agent is installed on the DC with the workspace ID and key . I can also see it in the log analytics workspace in azure console. Now its time to pull the data from event viewer. 

    So , i filter the data -> Windows event logs -> and then i am stumped with number security logs. Which one should i select? 

    I can see Application, setup , system, directory service etc etc clearly , but security isn't there yet . 

    Has anyone seen this yet ?

    Thanks for reading . 

    Cheers

    Anand 


    anand

    Wednesday, April 24, 2019 1:49 PM

Answers

  • Hi Anand, I assume  'DC' means Domain Controller. Please correct if my assumption is incorrect.

    Also, what do you mean by "stumped with number security logs"? IF possible, share a screen shot of what you are seeing which may help clarify your request.

    You may also want to check out existing ASC solutions that may address your objective.

    reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

    • Proposed as answer by FemisuluModerator Saturday, April 27, 2019 2:42 AM
    • Marked as answer by Anand Rao Tuesday, April 30, 2019 8:32 AM
    Saturday, April 27, 2019 2:42 AM
    Moderator
  • Hello Femisulu , 

    I contacted Microsoft as it wasn't going anywhere and here is what I got. 

    We can get all kinds of logs and events from windows / linux servers except Security logs. Security logs events are gathered only if we enable security policy in Azure console -> security console-> security Policy -> select your log analytics here -> then select Data collection -> then select all Events. 

    and BTW , this is exactly what is specified in the link that you shared :) . 

    Thats all. Now we need to wait. I got about 2 million security event logs by waiting 24 hours ( approx ). 

    Thanks for nudge by the way . 

    Cheers

    Anand 


    anand

    • Marked as answer by Anand Rao Tuesday, April 30, 2019 8:32 AM
    Tuesday, April 30, 2019 8:32 AM

All replies

  • Hi Anand, I assume  'DC' means Domain Controller. Please correct if my assumption is incorrect.

    Also, what do you mean by "stumped with number security logs"? IF possible, share a screen shot of what you are seeing which may help clarify your request.

    You may also want to check out existing ASC solutions that may address your objective.

    reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

    • Proposed as answer by FemisuluModerator Saturday, April 27, 2019 2:42 AM
    • Marked as answer by Anand Rao Tuesday, April 30, 2019 8:32 AM
    Saturday, April 27, 2019 2:42 AM
    Moderator
  • Hello Femisulu , 

    I contacted Microsoft as it wasn't going anywhere and here is what I got. 

    We can get all kinds of logs and events from windows / linux servers except Security logs. Security logs events are gathered only if we enable security policy in Azure console -> security console-> security Policy -> select your log analytics here -> then select Data collection -> then select all Events. 

    and BTW , this is exactly what is specified in the link that you shared :) . 

    Thats all. Now we need to wait. I got about 2 million security event logs by waiting 24 hours ( approx ). 

    Thanks for nudge by the way . 

    Cheers

    Anand 


    anand

    • Marked as answer by Anand Rao Tuesday, April 30, 2019 8:32 AM
    Tuesday, April 30, 2019 8:32 AM