cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log analytics agent basic logs / analytics logs

kenvb
Copper Contributor

‎Mar 10 2022 12:52 AM

‎Mar 10 2022 12:52 AM

Log analytics agent basic logs / analytics logs

Does this mean the log analytics agent will be able to send important logs directly to the LAW and mundane logs into basic logs? Or will you still need some proxy/log collector in between to distinguish all that for you?
 
Example: I have an on-prem windows server. Will I be able to make a distinguishment with logon information and perhaps dns data ?
2,855 Views
0 Likes
3 Replies
Reply
3 Replies
Jonhed

‎Mar 10 2022 06:23 AM

‎Mar 10 2022 06:23 AM

Re: Log analytics agent basic logs / analytics logs

Looking at the documents, it looks like basic logs will apply at a table level, and only certain types of tables are supported.

Jonhed_0-1646922170662.png


https://docs.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-configure?tabs=api-1%2Cportal-1

 

Looking at the types of tables that are supported for basic logs, it does not look like you could do this with logon info and dns data from regular windows servers, unless you somehow use a REST API client with the Data Collection Rule (DCR)-based custom logs API.

 

 

0 Likes
Reply
kenvb

‎Mar 15 2022 02:30 AM

‎Mar 15 2022 02:30 AM

Re: Log analytics agent basic logs / analytics logs

@Jonhed 

 

Ah yes interesting. But if you have a log aggregator in the middle like a logstash or fluentd, you can convert them to custom logs and send all that info to basic logs ? Of course this means you have to be very well aware of your own generated logs.

0 Likes
Reply
Jonhed

‎Mar 15 2022 06:52 AM

‎Mar 15 2022 06:52 AM

Re: Log analytics agent basic logs / analytics logs

That might indeed be possible.

However, you would need to use the Data Collection Rule (DCR)-based custom logs API.
The current data connector for logstash does not use the above API, but instead uses the HTTP Data Collector REST API, so you would need to migrate to the required API or not use the data connector at all.
https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate

I do not have any experience here so cannot give a definite answer unfortunately.
1 Like
Reply