Collect System Event Logs Automatically to Azure Log Analytics Workspace
Question
SIMULATION -
You plan to connect several Windows servers to the WS11641655 Azure Log Analytics workspace.
You need to ensure that the events in the System event logs are collected automatically to the workspace after you connect the Windows servers.
To complete this task, sign in to the Azure portal and modify the Azure resources.
Explanations
See the explanation below.
Azure Monitor can collect events from the Windows event logs or Linux Syslog and performance counters that you specify for longer term analysis and reporting, and take action when a particular condition is detected. Follow these steps to configure collection of events from the Windows system log and Linux Syslog, and several common performance counters to start with.
Data collection from Windows VM -
1. In the Azure portal, locate the WS11641655 Azure Log Analytics workspace then select Advanced settings.
2. Select Data, and then select Windows Event Logs.
3. You add an event log by typing in the name of the log. Type System and then select the plus sign +.
4. In the table, check the severities Error and Warning. (for this question, select all severities to ensure that ALL logs are collected).
5. Select Save at the top of the page to save the configuration.
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevmTo ensure that events in the System event logs are collected automatically to the specified Azure Log Analytics workspace, you need to perform the following steps:
Connect the Windows servers to the workspace: To connect the Windows servers to the Log Analytics workspace, you can either use the Microsoft Monitoring Agent or the Log Analytics agent. The Microsoft Monitoring Agent is recommended for servers that run System Center Operations Manager or Azure Management Pack. The Log Analytics agent is recommended for standalone servers or virtual machines.
Install the Log Analytics agent on each Windows server: If you decide to use the Log Analytics agent to connect the servers to the workspace, you need to install the agent on each server. You can download the agent from the Log Analytics workspace in the Azure portal.
Configure the Log Analytics agent to collect events from the System event logs: After installing the Log Analytics agent on each server, you need to configure it to collect events from the System event logs. You can do this by modifying the agent configuration file (MicrosoftMonitoringAgent.config) on each server.
Here are the steps to modify the configuration file on each server: a. Open the configuration file in a text editor, such as Notepad. b. Locate the <EventLog><Query> section in the configuration file. c. Add a new <Query> element under the <EventLog> element that specifies the System event log. For example, the <Query> element should look like this: <Query> <Select Path="System">*</Select> </Query> d. Save the configuration file and restart the Log Analytics agent service on each server.
Verify that events are being collected: After configuring the Log Analytics agent on each server, you can verify that events are being collected by checking the workspace data in the Azure portal. You can also run queries on the collected data to view specific events.
By following these steps, you can ensure that events in the System event logs are collected automatically to the specified Azure Log Analytics workspace.