Collect Windows Event Logs using Log Analytics and Intune

If you’re in a situation where you want to bulk collect logs from Windows Event Viewer, then you’ve come to the right blog! Today we’ll be going over the steps to enable and collect Windows logs using Log Analytics. Let’s get started.

Set up Log Analytics to collect Windows Event logs

First, we’ll need to have a Log Analytics workspace set up in the Azure Portal. I’m using an existing instance, but you can also create one by clicking + Create in the Log Analytics workspaces pane:

Once you have your workspace open, click on Advanced settings (under Settings):

Under Advanced settings, select Data > Windows Event Logs. Here you can search for Event Logs you’d like to capture:

Once you’ve selected the event logs you want to capture, click Save (above Data) and Log Analytics is prepared to start capturing that data!

But wait – if this is your first time in Log Analytics, you may not have any data sources configured! Before we can start collecting data, we need to deploy an Agent to the Windows computers that we want to collect data from. You can find the agent and relevant keys under Agents management in the Log Analytics workspace:

Now, you could manually install the agent using the download and keys, but you could also deploy the Agent via Intune.

Deploy Log Analytics Agent Using Intune

First, download the agent from the Agents management pane. Create an empty folder and extract the agent by using the cmd MMASetup-<platform>.exe /c

Since the agent setup file is an .exe file, we’ll need to wrap it into a .intunewin file. Download the Win32 Content Prep Tool from Github by clicking Download ZIP:

Unzip the folder, and then select Open PowerShell as Admin from the file explorer menu:

Type .\IntuneWinAppUtil.exe and press enter. It will guide you into specifying the source folder (the folder we extracted the MMASetup.exe into), the setup.exe, and output folder, which will provide us with the .intunewin file:

Perfect. Now we can upload the app, by going to the Microsoft Endpoint Manager admin center and select Apps > All apps > + Add > Windows app (Win32):

In App information, select the .intunewin file:

Put in Microsoft as the publisher and then click Next.

In Program, use the following for the install command:

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID="<your workspace ID>" OPINSIGHTS_WORKSPACE_KEY="<your workspace key>" AcceptEndUserLicenseAgreement=1

Type setup.exe /uninstall for the uninstall command, and then click Next.

Select 64-bit and a recent Windows 10 version for Minimum operating system:

For the detection rules, select Manually configure detection rules and then the following options:

• File
• C:\Program Files\Microsoft Monitoring Agent\
• Agent
• File or folder exists
• Associated with a 32-bit app on 64-bit clients: No

Then assign the app to your users, and click Create!

Once the setup.exe finished uploading to Intune, it will be deployed to your assigned users and you will be able to see the collected event logs in the Log Analytics portal.

Verify Log Analytics is deployed and collecting Windows Event logs

End Users will be notified of the installation in Windows:

And they can also double check the configuration, by going to Control Panel > Microsoft Monitoring Agent > Azure Log Analytics (OMS) tab:

And now in the Log Analytics portal, we can see under Agents management that one Windows device is connected:

Under General, in the Log Analytics workspace, click Logs. Here you will be prompted to type in a query. The easiest, to verify that it is working, is just to type “Event” and click Run:

Remember, events will only be captured AFTER the agent was installed. And to learn more about different queries and the query language, here’s a link to the Docs article.

That’s all the configuration and testing required – you now have Log Analytics successfully running and collecting Windows events. Happy logging! ?