How can we improve Azure Log Analytics ?

Use Windows Event Forwarding (WEF) to send events to OpInsights

Would it be cool if you could configure Windows Server WEF (Windows Event Forwarding - http://technet.microsoft.com/en-us/library/cc748890.aspx ) to send to Advisor for Log Management scenario, without using the SCOM agent ?
Alternatively, if one already has a forwarder/collector (WEF/WEC) architecture in place, could it be possible to use just one SCOM agent/gateway to pull the 'forwarded' logs stored on that collector from that single box to the cloud.

331 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Daniele Muscetta shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

19 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • MaggieD commented  ·   ·  Flag as inappropriate

    I noticed the "Forwarded Event " could be chosen from Log Analytics->advanced setting-> data sources ->event configuration . Does this mean it is fully supported now ?Any documentation for this?

  • Traber commented  ·   ·  Flag as inappropriate

    Any update here? Per the last admin response, the preview was supposed to be in late 2018, but I haven't heard anything about it yet.

  • Anon commented  ·   ·  Flag as inappropriate

    Could we have an update on this? Would love to send data from our 10.000 workstations to OMS.

  • Anonymous commented  ·   ·  Flag as inappropriate

    +1 WEF is a great central aggregator of log data. It would be incredibly useful to be able use WEF and OMS to correlate and dashboard that information.

  • Rodrigo commented  ·   ·  Flag as inappropriate

    There are plenty of information that can only be retrieved from a workstation's event logs. Think about AppBlocker, EMET and other security-related events that are currently only logged into a local event log. Until a properly priced SKU for non-server nodes exists, having the ability to forward events from a workstation to a central repository and funnel that up to OMS is the only way to get that that data into one pane for the folks checking those things. Granted you can technically write your own solution to parse those local logs, package the entries into JSON and ingest them into OMS via the HTTP API but it would be nicer if we had some pre-canned option.

  • Daniel Streefkerk commented  ·   ·  Flag as inappropriate

    Why is this still not implemented? I looked into this around 1 year ago in my last job. Now, a year later, I still can't do it.

    I want to pass my collected logs from my workstation fleet up to OMS.

    As it stands, I'm going to have to go with a competing solution like LogStash, but really don't want to.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is something that needs to be done. It completes the loop. We don't want to install the agent on every computer on the network. We have enough agents already

  • Anonymous commented  ·   ·  Flag as inappropriate

    Had a conversation with a large customer who wants this functionality. Looks like this request has been out there for a long time. Any progress with it?

  • Pierre Audonnet commented  ·   ·  Flag as inappropriate

    "Alternatively, if one already has a forwarder/collector (WEF/WEC) architecture in place, could it be possible to use just one SCOM agent/gateway to pull the 'forwarded' logs stored on that collector from that single box to the cloud."

    This would be great!

  • scott commented  ·   ·  Flag as inappropriate

    we are just beginning deployment of MOS and use WEF to collect the security event logs from our servers. seems like they just need a parser in OMS to see the logs correctly. we can see all the correct logs in the WEF server correctly. (IE adding a new account and adding to the local admin group. this creates a security event but it not getting reported accurately in OMS. having to deploy an agent on our 1300 servers to get this information seems senseless as windows already has a built in method to collect the logs. isn't that the whole point of integration(especially with tools from the same company)

  • Bjarne Abraham commented  ·   ·  Flag as inappropriate

    Yes, it would be great if we could install the agent on the WEC server and then ship all collected logs to OMS. We do not want to install the agent on each server that we collect logs from.

  • STefx commented  ·   ·  Flag as inappropriate

    I have the same request my event collector is not sending forwarderevent to OMS. I have seen that it was not working in Septembrer, is this still the case?

    Can you please make it works?

  • joao commented  ·   ·  Flag as inappropriate

    Hi people,

    Recently i have a request from a customer to create audit logs. I'm configure the audit logs and forwarded to one Server.
    My server is monitored by OMS but i'm try to query my forward events only to know if it's on OMS.
    Is it possible? If yes, somebody could help me with this query?

  • Masahiko Ebisuda commented  ·   ·  Flag as inappropriate

    I have one customer that have 1500 VMs wish this function.
    Many customers don't want to install agents to their servers.

    Linux can achieve non-agent style using Syslog.

  • RichardB commented  ·   ·  Flag as inappropriate

    I would really like to see this come true in the following way.

    Have our Collectors forward all its events to OMS.

    I have two business cases where this would make really sense.

    1) Instead of using the Security Solution Pack, which is waaay too expensive due to the amount of events begin send. I would collect only the few events needed from our Domain Controller and send to OMS.
    (and as a bonus feature, use the security posture view on these events also)

    2) We are in the process of implementing, that all workstations send events to our Collector. Not alot, but a little handful. These I would also like to send to OMS.
    (inspired by http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx and
    https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf)

    I do NOT want to install a Direct Agent on all our workstations, just to collects a few events event now and then. Too much management overhead. (we have 5.000 workstations)

  • Ian Smith commented  ·   ·  Flag as inappropriate

    Yes!!! This would be awesome for Cyber engagements. No one want to hookup their Domain Controllers up to the internet, even if it's connection is through a proxy. Is this something we can do today? Install an MMA agent on a WEF collection point server and have it send security events from DC up to Log Analytics?

  • Kurt Falde commented  ·   ·  Flag as inappropriate

    I don't see usefulness around WEF itself forwarding to the cloud however forwarding/aggregating to the WEF server and putting the agent on there to pull the Forwarded Events log is definitely something that would be useful.

Feedback and Knowledge Base