Azure log analytics workspace and DC security logs

Category: azure log integration

Question

Anand Rao on Wed, 24 Apr 2019 13:49:24


Hello Experts, 

I am looking to integrate the DC security logs to OMS / log analytics .  The log analytics agent is installed on the DC with the workspace ID and key . I can also see it in the log analytics workspace in azure console. Now its time to pull the data from event viewer. 

So , i filter the data -> Windows event logs -> and then i am stumped with number security logs. Which one should i select? 

I can see Application, setup , system, directory service etc etc clearly , but security isn't there yet . 

Has anyone seen this yet ?

Thanks for reading . 

Cheers

Anand 


anand

Replies

Femisulu on Sat, 27 Apr 2019 02:42:05


Hi Anand, I assume  'DC' means Domain Controller. Please correct if my assumption is incorrect.

Also, what do you mean by "stumped with number security logs"? IF possible, share a screen shot of what you are seeing which may help clarify your request.

You may also want to check out existing ASC solutions that may address your objective.

reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

Anand Rao on Tue, 30 Apr 2019 08:32:21


Hello Femisulu , 

I contacted Microsoft as it wasn't going anywhere and here is what I got. 

We can get all kinds of logs and events from windows / linux servers except Security logs. Security logs events are gathered only if we enable security policy in Azure console -> security console-> security Policy -> select your log analytics here -> then select Data collection -> then select all Events. 

and BTW , this is exactly what is specified in the link that you shared :) . 

Thats all. Now we need to wait. I got about 2 million security event logs by waiting 24 hours ( approx ). 

Thanks for nudge by the way . 

Cheers

Anand