Question
Anand Rao on Wed, 24 Apr 2019 13:49:24
Hello Experts,
I am looking to integrate the DC security logs to OMS / log analytics . The log analytics agent is installed on the DC with the workspace ID and key . I can also see it in the log analytics workspace in azure console. Now its time to pull the data from event viewer.
So , i filter the data -> Windows event logs -> and then i am stumped with number security logs. Which one should i select?
I can see Application, setup , system, directory service etc etc clearly , but security isn't there yet .
Has anyone seen this yet ?
Thanks for reading .
Cheers
Anand
anand
Replies
Femisulu on Sat, 27 Apr 2019 02:42:05
Hi Anand, I assume 'DC' means Domain Controller. Please correct if my assumption is incorrect.
Also, what do you mean by "stumped with number security logs"? IF possible, share a screen shot of what you are seeing which may help clarify your request.
You may also want to check out existing ASC solutions that may address your objective.
reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
Anand Rao on Tue, 30 Apr 2019 08:32:21
Hello Femisulu ,
I contacted Microsoft as it wasn't going anywhere and here is what I got.
We can get all kinds of logs and events from windows / linux servers except Security logs. Security logs events are gathered only if we enable security policy in Azure console -> security console-> security Policy -> select your log analytics here -> then select Data collection -> then select all Events.
and BTW , this is exactly what is specified in the link that you shared :) .
Thats all. Now we need to wait. I got about 2 million security event logs by waiting 24 hours ( approx ).
Thanks for nudge by the way .
Cheers
Anand