Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,331 questions
Not receiving windows security event from Azure ARC enabled servers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 49%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Rahul Saha
0
Reputation points
Successfully connected Windows server through Azure ARC but not receiving any security event logs through data collection rule in Sentinel connector. The AMA extension is showing running successfully.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Pranay Reddy Madireddy 700 Reputation points Microsoft Vendor2024-11-15T21:00:30.7666667+00:00 Hi Rahul Saha
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Make sure the DCR collects security event logs, includes the right log types, and targets the correct server.
Even though the AMA extension is running, verify that it is properly configured for log collection. You can use PowerShell to check its status and settings.
check your server can connect to Azure Monitor by checking the firewall settings and ensuring that the required ports are open.
Verify that your logs are being sent to the correct Log Analytics workspace and check for any errors or issues with data ingestion.
Verify that the Azure Arc-enabled server has the required permissions to send logs to Azure Sentinel.
Manually generate security events on your Windows server, such as failed login attempts, and then check if they appear in Azure Sentinel.
For reference, please review this documentation: -
https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-windows-server
https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference
https://learn.microsoft.com/en-us/azure/sentinel/roles
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policyIf you have any further queries, do let us know.
If the answer is helpful, please click "Accept Answer" and "Upvote it".
-
Pranay Reddy Madireddy 700 Reputation points Microsoft Vendor
2024-11-18T16:28:56.0933333+00:00 Hi Rahul Saha
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Sign in to comment
Sign in to answer