Creating a Data Collection Rule to populate "Event" logs in Azure

Andy Tran - Sep 11 - - Dev Community

Multiple people have been running into the issue of the Event table in Azure not showing up in their Logs Analytics Workspace, they haven't been able to produce the heat map to visualize where attacks into their MS SQL server are coming from.

To get the "Event" table to properly query, we can create a new Data Collection Rule.

To do this,

  • navigate to your Log Analytic's Workspace -> Agent

  • click "Data Collection Rules"

Data Collection Rules View Button

This will take you to a window showing all your Data Collection Rules.

  • Click the "Create" button on the top left to create a new rule.

Create Data Collection Rule Button

  • Next, create a name and specify your subscription, resource group, and region. Platform Type should be "All"

Basic Config

  • Go to "< Next : Resource >"
  • Hit "Add Resources" on the top left
  • Select both our linux and windows virtual machines
  • hit "Apply"

Resources

(Hopefully you're using Ubuntu Version 22.04, as the 24.04 has been causing problems with data collection agents as of recently...September 10th, 2024.)

  • In the "Collect and deliver" window, we hit "Add data resource"

  • Data Source Type: "Linux Syslog"

  • set "LOG_AUTH" to "LOG_DEBUG"

  • You should also manually set all other facility options to "None"

Collect and Deliver Config

  • Now in the same window, we hit "Destination" and set it to our Log Analytics Workspace.

Destination

  • Add the data source.

Now, we create another data source for our windows vm.

  • Data Source Type: Windows Event Logs
  • Choose "Basic" for log collection configuration settings Check the following boxes:
  • Information
  • Audit Success
  • Audit Failure

Windows VM Data Resource

In the custom tab, we want to add 2 xpath queries:

Windows Defender Malware Detection XPath Query

Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]]
Enter fullscreen mode Exit fullscreen mode

Windows Firewall Tampering Detection XPath Query

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall!*[System[(EventID=2003)]]
Enter fullscreen mode Exit fullscreen mode

These will forward logs when malware is detected or when firewalls are being tampered with.

xpath queries

  • Click next and configure the destination like we did before

windows vm destination config

At this point, you are good to create your Data Collection Rule

Final Review

Creation of DCR

Now, when "Event" is queried, it shows up in our Log Analytics Workspace

Event Query

Image
Melhore a Legibilidade e Manutenção do Código CSS criando Estilos Dinâmicos
Image
Configurando servidor local no Linux: Nginx, MySQL e PHP
Image
Mastering Web Development: A Comprehensive Collection of Free Online Tutorials

getvm, programming, tutorials
Image
A wing chair that belongs to me
Image
Can graylog create chart for monitoring API usage ?
Image
Immediately Invoked Function Expression (IIFE)
Image
Buy verified cash app account
Image
There's nothing like going to a free concert

tutorial, functional, funny
Image
aqua Now Supports Node.js
Image
How to Build a Simple Chrome Extension to Search Selected Text on YouTube

chrome, extension, javascript
Image
Building a Reusable Progress Bar Component in React with Tailwind CSS
Image
Managing and Monitoring Modes for Ralink Technology Corp MT7601U
Image
BitPower: An innovative platform for making money easily at home
Image
Why I Believe Lombok Should Be Discarded from Java Projects
Image
Enhancing Security: A Guide to System Hardening and AWS Tools 🛡️

aws, cloudcomputing, security, cloud
Image
Casual Clothes App Using Next.js 14, TypeScript, Prisma & Next-Auth
Image
Mastering End-to-End Testing: Which Tool Cypress or Playwright Should You Choose?
Image
How a history-aware retriever works?
Image
Handling Errors in Node.js: Turning Oops into Success 🚀
. . . . . . .
Terabox Video Player