Azure log analytics workspace and DC security logs

Category: azure log integration


Anand Rao on Wed, 24 Apr 2019 13:49:24

Hello Experts, 

I am looking to integrate the DC security logs to OMS / log analytics .  The log analytics agent is installed on the DC with the workspace ID and key . I can also see it in the log analytics workspace in azure console. Now its time to pull the data from event viewer. 

So , i filter the data -> Windows event logs -> and then i am stumped with number security logs. Which one should i select? 

I can see Application, setup , system, directory service etc etc clearly , but security isn't there yet . 

Has anyone seen this yet ?

Thanks for reading . 





Femisulu-MSFT on Sat, 27 Apr 2019 02:42:05

Hi Anand, I assume  'DC' means Domain Controller. Please correct if my assumption is incorrect.

Also, what do you mean by "stumped with number security logs"? IF possible, share a screen shot of what you are seeing which may help clarify your request.

You may also want to check out existing ASC solutions that may address your objective.


Anand Rao on Tue, 30 Apr 2019 08:32:21

Hello Femisulu , 

I contacted Microsoft as it wasn't going anywhere and here is what I got. 

We can get all kinds of logs and events from windows / linux servers except Security logs. Security logs events are gathered only if we enable security policy in Azure console -> security console-> security Policy -> select your log analytics here -> then select Data collection -> then select all Events. 

and BTW , this is exactly what is specified in the link that you shared :) . 

Thats all. Now we need to wait. I got about 2 million security event logs by waiting 24 hours ( approx ). 

Thanks for nudge by the way .