Multiple people have been running into the issue of the Event table in Azure not showing up in their Logs Analytics Workspace, they haven't been able to produce the heat map to visualize where attacks into their MS SQL server are coming from.
To get the "Event" table to properly query, we can create a new Data Collection Rule.
To do this,
navigate to your Log Analytic's Workspace -> Agent
click "Data Collection Rules"
This will take you to a window showing all your Data Collection Rules.
- Click the "Create" button on the top left to create a new rule.
- Next, create a name and specify your subscription, resource group, and region. Platform Type should be "All"
- Go to "< Next : Resource >"
- Hit "Add Resources" on the top left
- Select both our linux and windows virtual machines
- hit "Apply"
(Hopefully you're using Ubuntu Version 22.04, as the 24.04 has been causing problems with data collection agents as of recently...September 10th, 2024.)
In the "Collect and deliver" window, we hit "Add data resource"
Data Source Type: "Linux Syslog"
set "LOG_AUTH" to "LOG_DEBUG"
You should also manually set all other facility options to "None"
- Now in the same window, we hit "Destination" and set it to our Log Analytics Workspace.
- Add the data source.
Now, we create another data source for our windows vm.
- Data Source Type: Windows Event Logs
- Choose "Basic" for log collection configuration settings Check the following boxes:
- Information
- Audit Success
- Audit Failure
In the custom tab, we want to add 2 xpath queries:
Windows Defender Malware Detection XPath Query
Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]]
Windows Firewall Tampering Detection XPath Query
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall!*[System[(EventID=2003)]]
These will forward logs when malware is detected or when firewalls are being tampered with.
- Click next and configure the destination like we did before
At this point, you are good to create your Data Collection Rule
Now, when "Event" is queried, it shows up in our Log Analytics Workspace
Top comments (0)