Use Windows Event Forwarding (WEF) to send events to OpInsights
Would it be cool if you could configure Windows Server WEF (Windows Event Forwarding - http://technet.microsoft.com/en-us/library/cc748890.aspx ) to send to Advisor for Log Management scenario, without using the SCOM agent ?
Alternatively, if one already has a forwarder/collector (WEF/WEC) architecture in place, could it be possible to use just one SCOM agent/gateway to pull the 'forwarded' logs stored on that collector from that single box to the cloud.
This is currently under development, scheduled to be in preview later in 2018
John Smiht commented
So, when can we expect this to be release into production ?
tell me latest about this>
I noticed the "Forwarded Event " could be chosen from Log Analytics->advanced setting-> data sources ->event configuration . Does this mean it is fully supported now ?Any documentation for this?
Any update here? Per the last admin response, the preview was supposed to be in late 2018, but I haven't heard anything about it yet.
Could we have an update on this? Would love to send data from our 10.000 workstations to OMS.
+1 WEF is a great central aggregator of log data. It would be incredibly useful to be able use WEF and OMS to correlate and dashboard that information.
There are plenty of information that can only be retrieved from a workstation's event logs. Think about AppBlocker, EMET and other security-related events that are currently only logged into a local event log. Until a properly priced SKU for non-server nodes exists, having the ability to forward events from a workstation to a central repository and funnel that up to OMS is the only way to get that that data into one pane for the folks checking those things. Granted you can technically write your own solution to parse those local logs, package the entries into JSON and ingest them into OMS via the HTTP API but it would be nicer if we had some pre-canned option.
Daniel Streefkerk commented
Why is this still not implemented? I looked into this around 1 year ago in my last job. Now, a year later, I still can't do it.
I want to pass my collected logs from my workstation fleet up to OMS.
As it stands, I'm going to have to go with a competing solution like LogStash, but really don't want to.
This is something that needs to be done. It completes the loop. We don't want to install the agent on every computer on the network. We have enough agents already
Had a conversation with a large customer who wants this functionality. Looks like this request has been out there for a long time. Any progress with it?
Łukasz Rutkowski commented
RichardB commented - Me second that, want to monitor RMS data from workstations.
Pierre Audonnet commented
"Alternatively, if one already has a forwarder/collector (WEF/WEC) architecture in place, could it be possible to use just one SCOM agent/gateway to pull the 'forwarded' logs stored on that collector from that single box to the cloud."
This would be great!
we are just beginning deployment of MOS and use WEF to collect the security event logs from our servers. seems like they just need a parser in OMS to see the logs correctly. we can see all the correct logs in the WEF server correctly. (IE adding a new account and adding to the local admin group. this creates a security event but it not getting reported accurately in OMS. having to deploy an agent on our 1300 servers to get this information seems senseless as windows already has a built in method to collect the logs. isn't that the whole point of integration(especially with tools from the same company)
Bjarne Abraham commented
Yes, it would be great if we could install the agent on the WEC server and then ship all collected logs to OMS. We do not want to install the agent on each server that we collect logs from.
I have the same request my event collector is not sending forwarderevent to OMS. I have seen that it was not working in Septembrer, is this still the case?
Can you please make it works?
Recently i have a request from a customer to create audit logs. I'm configure the audit logs and forwarded to one Server.
My server is monitored by OMS but i'm try to query my forward events only to know if it's on OMS.
Is it possible? If yes, somebody could help me with this query?
Masahiko Ebisuda commented
I have one customer that have 1500 VMs wish this function.
Many customers don't want to install agents to their servers.
Linux can achieve non-agent style using Syslog.
Chris Portillo commented
Yes! Yes! This would be great.
I would really like to see this come true in the following way.
Have our Collectors forward all its events to OMS.
I have two business cases where this would make really sense.
1) Instead of using the Security Solution Pack, which is waaay too expensive due to the amount of events begin send. I would collect only the few events needed from our Domain Controller and send to OMS.
(and as a bonus feature, use the security posture view on these events also)
2) We are in the process of implementing, that all workstations send events to our Collector. Not alot, but a little handful. These I would also like to send to OMS.
(inspired by http://blogs.technet.com/b/jepayne/archive/2015/11/24/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem.aspx and
I do NOT want to install a Direct Agent on all our workstations, just to collects a few events event now and then. Too much management overhead. (we have 5.000 workstations)
Ian Smith commented
Yes!!! This would be awesome for Cyber engagements. No one want to hookup their Domain Controllers up to the internet, even if it's connection is through a proxy. Is this something we can do today? Install an MMA agent on a WEF collection point server and have it send security events from DC up to Log Analytics?