Application Log ID 18456 (Logon) not being collected (aka - allow to Collect Audit Failure and Audit Success events)
Added log collection of the Application Event Log , but it looks like Event 18456 Type Logon is not being collected even while its located in the Application Log
We’ve updated the Log Analytics service so that Audit Success / Audit Failure events are picked up from all event logs, not just the Security event log.
To collect these events, configure collection of “Information” level events from the event log.
The change is rolling out to all regions this week.
Same and similar for eventid 18453, the event level is information and category is logon.
Log Name: Application
Date: 11/4/2014 11:59:16 PM
Event ID: 18453
Task Category: Logon
Keywords: Classic,Audit Success
Login succeeded for user 'USERNAME'. Connection made using Windows authentication. [CLIENT: IP]
<Provider Name="MSSQLSERVER" />
<TimeCreated SystemTime="2014-11-04T22:59:16.000000000Z" />
<Security UserID="S-1-5-21-4185495620-1739196763-3906522881-1659" />
<Data> [CLIENT: IP]</Data>
Flemming Riis commented
The category is Logon and Audit Failure so thats must be why , just thought that when it was in the application log it would be auto collected.
Will wait for Security Intelligence Pack :)