Collect Windows10 Events in log analytic Workspace

Jonathan LefebvreAzure, IntuneLeave a Comment

5
(1)

Windows 10, Azure, and Endpoint Manager offer many different tools to gather and know more about what is going on in your environment. One of those is Log Analytics Workspace. Log Analytics workspace has the ability to collect data from Windows devices such as Events and performance data through the Microsoft monitoring agent. This can centralize Windows events to be analyzed and crunched to identify potential impacts happening to many computers.

While the Monitoring agent is free, the data hosted in Log Analytics Workspaces will cost a little per month for great insight. Based on past experience, you can expect ~100$/month for roughly 7000 devices reporting Errors and Warning.

In this post, we will describe how to configure the Azure Log Analytics Workspace to gather Windows10 Events centrally.

Windows10 Events log analytic – Prerequisites

  • The following operating systems are supported to report event viewer by using the Log Analytics agent
    • Windows 7, 8 and 10
    • Windows Server 2008 SP2 and above
  • Clients communicate to the Azure Monitor service over TCP 443

For mode details about the requirements, see Microsoft Docs

Create a Log Analytics Workspace

  • Open the Azure portal and search for Log Analytics Workspaces
  • Click on Add
Windows10 Events log analytic
  • Select the subscription that the usage of Log Analytics Workspaces will be billed to. Specify a name for the instance name and select the region that it will be hosted to
Windows10 Events log analytic
  • Select the Pricing tier. This will vary depending on your contract with Microsoft.
  • Specify Tags if you wish so.
Windows10 Events log analytic
  • Review final validation and create the Log Analytics workspace
Windows10 Events log analytic
  • The Log Analytics workspace will be created within seconds.

Configuring Windows Event logs

  • From the overview page of the newly created Log Analytics Workspaces, select the Resource just created
Event viewer log analytic
  • Select Advanced Settings
Event viewer log analytic
  • Under Data/Windows Event Logs, we need to add the events we wish to collect.
    • Simply type in the Events you wish to monitor, for example System, Application or Setup.
Windows 10 events Log Analytics
Careful what is selected

In most cases, avoid selecting Information since there are way too many information events generated per computer. This would have an impact on the cost associated with Log Analytics Workspace.

For some more specific event categories, Information may make sense, depending on what you are looking for.

Event viewer log analytic
  • Once the list is completed, click Save

Download the Monitoring Agent

  • In the workspace details, select Agent Management
Event viewer log analytic
  • Download the Windows Agent based on the OS architecture needed
Event viewer log analytic
  • Take note of the Workspace ID and Primary Key. They both will be required at the install time.
Important Info

If some computers do not have direct internet connection, and you still need to have events centralized, it is possible to configure a Log Analytics Gateway.

Windows 10 events Log Analytics

See Microsoft docs for more details

Install the Monitoring agent

The Monitoring agent can be installed manually or silently using an install command. Endpoint Manager or Configuration Manager can easily deploy this agent with the command line.

  • When ran manually, the Workspace ID and Primary key will be asked within the install wizard
  • To create a silent install, the setup.exe must first be extracted from the downloaded installer
  • From a command prompt, use the following command to extract the content
    • MMASetup-AMD64.exe /c
    • a prompt will show to set the location
  • The silent install command line should look like this
setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID="<WorkspaceID>" OPINSIGHTS_WORKSPACE_KEY="<Workspace Key>" AcceptEndUserLicenseAgreement=1
  • Workspace ID and Workspace Key need to be specified.

For more details about the installation of the Monitoring agent, see Microsoft docs

Verify Agent communication

  • On a computer that the Monitoring agent is installed, go to Control Panel, and select Microsoft Monitoring Agent
Windows 10 events Log Analytics
  • On the tab Azure Log Analytics, the status of the agent is reported.
Windows 10 events Log Analytics
  • After a few hours, the events will be available in Log Analytics workspaces.

How to view centralized Windows events

  • In the Log Analytics Workspace, select Logs
Windows 10 events viewer Log Analytics
  • From there, queries can be made. While the query language isn’t intuitive, after a few queries, details can be sorted about the Windows events happening in your environment.

For more details about Log Analytics query language, see Microsoft Docs

Log Analytics query examples

Here’s a few example of queries for Windows10 Events log analytic

To list all events for a specific computer

Event | where  Computer  == "<computer name>"
Event viewer log analytic

To list all events returned by all computers

Event
Windows10 Events log analytic

To list counts of Errors in the System events

Event | where EventLog == "System" | where EventLevelName == "Error" | summarize count() by Source, EventID
Windows10 Events log analytic

Counts of specific event ID per computers

Event | where EventID == 5002 and EventLevelName == "Error" | summarize Event_Count=count() by Computer | sort by Event_Count
Windows10 Events log analytic

Counts of errors per day for all computers

Notice that you can use chart for easily pinpoint bad days. It is also possible to modify the Time Range for bigger overview. In the below example, digging what happened on September 9th would make sense since the number of errors globally was way higher then usual.

Event | where EventLog == "System" | where EventLevelName == "Error" | summarize events_count=count() by startofday(TimeGenerated) | sort by TimeGenerated asc nulls last
Windows10 Events log analytic

For more details about Log analytics agent, see Microsoft docs

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Leave a Reply