Creating a Data Collection Rule to populate "Event" logs in Azure

aktran321

Khang Tran

Posted on September 11, 2024

Creating a Data Collection Rule to populate "Event" logs in Azure

Multiple people have been running into the issue of the Event table in Azure not showing up in their Logs Analytics Workspace, they haven't been able to produce the heat map to visualize where attacks into their MS SQL server are coming from.

To get the "Event" table to properly query, we can create a new Data Collection Rule.

To do this,

  • navigate to your Log Analytic's Workspace -> Agent

  • click "Data Collection Rules"

Data Collection Rules View Button

This will take you to a window showing all your Data Collection Rules.

  • Click the "Create" button on the top left to create a new rule.

Create Data Collection Rule Button

  • Next, create a name and specify your subscription, resource group, and region. Platform Type should be "All"

Basic Config

  • Go to "< Next : Resource >"
  • Hit "Add Resources" on the top left
  • Select both our linux and windows virtual machines
  • hit "Apply"

Resources

(Hopefully you're using Ubuntu Version 22.04, as the 24.04 has been causing problems with data collection agents as of recently...September 10th, 2024.)

  • In the "Collect and deliver" window, we hit "Add data resource"

  • Data Source Type: "Linux Syslog"

  • set "LOG_AUTH" to "LOG_DEBUG"

  • You should also manually set all other facility options to "None"

Collect and Deliver Config

  • Now in the same window, we hit "Destination" and set it to our Log Analytics Workspace.

Destination

  • Add the data source.

Now, we create another data source for our windows vm.

  • Data Source Type: Windows Event Logs
  • Choose "Basic" for log collection configuration settings Check the following boxes:
  • Information
  • Audit Success
  • Audit Failure

Windows VM Data Resource

In the custom tab, we want to add 2 xpath queries:

Windows Defender Malware Detection XPath Query

Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]]
Enter fullscreen mode Exit fullscreen mode

Windows Firewall Tampering Detection XPath Query

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall!*[System[(EventID=2003)]]
Enter fullscreen mode Exit fullscreen mode

These will forward logs when malware is detected or when firewalls are being tampered with.

xpath queries

  • Click next and configure the destination like we did before

windows vm destination config

At this point, you are good to create your Data Collection Rule

Final Review

Creation of DCR

Now, when "Event" is queried, it shows up in our Log Analytics Workspace

Event Query

💖 💪 🙅 🚩
aktran321
Khang Tran

Posted on September 11, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related