This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 34%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECR%3C/text%3E%3C/svg%3E)
Hi,
I'm trying to set up Microsoft Sentinel, and I need to forward windows logs from all of our machines. I'm experimenting with the configuration on a machine running Windows 11 Pro, then plan to copy the configuration across the rest of our machines.
I'm using the following documentation:
I've installed the Azure Monitor Agent on the machine, but I noticed that there wasn't anything in the agent to point it/connect it to my Microsoft Sentinel instance. After some reading, I connected my Windows 11 Pro machine to Azure via Arc. After that, I created a data collection rule where I was able to select the Windows 11 Pro Machine, and I selected all logs. I've also created a Log Analytics Workspace and a Data Collection Endpoint.
I am still not receiving any logs, not even heartbeat logs. Though it seems like I should be? Am I missing something? I have wasted so much trying to get this working. The old monitoring solution seemed much simpler, but it has been deprecated.
Thanks,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Hi @Colin R
Thank you for reaching us!
May I know Which connecter you have used is it Windows Security Events via AMA or Security Events via Legacy Agent.
where you have created the data collection rule? is the rule is created in the data collection rule tab, or the rule is created in the content hub under the Windows Security Events via AMA.
If the rule is created data collection rule tab the mapping of data ingestion happens to events.
If the rule is create Windows Security Events via AMA the data ingestion happens to Security events. Please ensure create the rule inside the data connector configuration.
If this is not the case troubleshoot by check your Data collection rule in JASON contains a section for 'windowsEventLogs'. If not create DCR.
Check that the file C:\WindowsAzure\Resources\AMADataStore.<virtual-machine-name>\mcs\mcsconfig.lkg.xml exists.
Open the file and check if it contains Subscription nodes as shown in the example below:
<Subscription eventName="c9302257006473204344_14882095577508259570"
query="System!*[System[(Level = 1 or Level = 2 or Level = 3)]]">
<Column name="ProviderGuid" type="mt:wstr" defaultAssignment="00000000-0000-0000-0000-000000000000">
<Value>/Event/System/Provider/@Guid</Value>
</Column>
...
</Column>
</Subscription>
Reference: Troubleshooting guidance for the Azure Monitor agent on Windows virtual machines and scale sets https://techcommunity.microsoft.com/blog/fasttrackforazureblog/windows-events-how-to-collect-them-in-sentinel-and-which-way-is-preferred-to-det/3997342
Hope this helps. Do let us know if you any further queries by responding in the comments section.
Thanks,
Akhilesh V.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.