Collect Windows Event Logs using Log Analytics and Intune

If you’re in a situation where you want to bulk collect logs from Windows Event Viewer, then you’ve come to the right blog! Today we’ll be going over the steps to enable and collect Windows logs using Log Analytics. Let’s get started.

Set up Log Analytics to collect Windows Event logs

First, we’ll need to have a Log Analytics workspace set up in the Azure Portal. I’m using an existing instance, but you can also create one by clicking + Create in the Log Analytics workspaces pane:

Log Analytics workspace

Once you have your workspace open, click on Advanced settings (under Settings):

Advanced settings

Under Advanced settings, select Data > Windows Event Logs. Here you can search for Event Logs you’d like to capture:

Selecting PowerShell Event Logs

Once you’ve selected the event logs you want to capture, click Save (above Data) and Log Analytics is prepared to start capturing that data!

But wait – if this is your first time in Log Analytics, you may not have any data sources configured! Before we can start collecting data, we need to deploy an Agent to the Windows computers that we want to collect data from. You can find the agent and relevant keys under Agents management in the Log Analytics workspace:

Agents management pane

Now, you could manually install the agent using the download and keys, but you could also deploy the Agent via Intune.

Deploy Log Analytics Agent Using Intune

First, download the agent from the Agents management pane. Create an empty folder and extract the agent by using the cmd MMASetup-<platform>.exe /c

Extract Agent into empty folder
Extract Log Analytics agent contents

Since the agent setup file is an .exe file, we’ll need to wrap it into a .intunewin file. Download the Win32 Content Prep Tool from Github by clicking Download ZIP:

Win32 Content Prep Tool

Unzip the folder, and then select Open PowerShell as Admin from the file explorer menu:

Open PowerShell in extracted folder

Type .\IntuneWinAppUtil.exe and press enter. It will guide you into specifying the source folder (the folder we extracted the MMASetup.exe into), the setup.exe, and output folder, which will provide us with the .intunewin file:

Wrapping setup.exe

Perfect. Now we can upload the app, by going to the Microsoft Endpoint Manager admin center and select Apps > All apps > + Add > Windows app (Win32):

Upload .intunewin file

In App information, select the .intunewin file:

Selecting .intunewin file

Put in Microsoft as the publisher and then click Next.

In Program, use the following for the install command:

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID="<your workspace ID>" OPINSIGHTS_WORKSPACE_KEY="<your workspace key>" AcceptEndUserLicenseAgreement=1

Type setup.exe /uninstall for the uninstall command, and then click Next.

Program settings

Select 64-bit and a recent Windows 10 version for Minimum operating system:

Requirements

For the detection rules, select Manually configure detection rules and then the following options:

  • File
  • C:\Program Files\Microsoft Monitoring Agent\
  • Agent
  • File or folder exists
  • Associated with a 32-bit app on 64-bit clients: No
Detection Rules

Then assign the app to your users, and click Create!

Create Win32 app

Once the setup.exe finished uploading to Intune, it will be deployed to your assigned users and you will be able to see the collected event logs in the Log Analytics portal.

Verify Log Analytics is deployed and collecting Windows Event logs

End Users will be notified of the installation in Windows:

Agent installation notifications

And they can also double check the configuration, by going to Control Panel > Microsoft Monitoring Agent > Azure Log Analytics (OMS) tab:

Successful Log Analytics agent installation

And now in the Log Analytics portal, we can see under Agents management that one Windows device is connected:

Log Analytics agents management

Under General, in the Log Analytics workspace, click Logs. Here you will be prompted to type in a query. The easiest, to verify that it is working, is just to type “Event” and click Run:

Event query

Remember, events will only be captured AFTER the agent was installed. And to learn more about different queries and the query language, here’s a link to the Docs article.

That’s all the configuration and testing required – you now have Log Analytics successfully running and collecting Windows events. Happy logging! 🌲

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *