1

I’m trying to enable security logs for auditing in Azure. I’ve looked at security in the data sources from windows machines, but that says the intelligence pack isn’t installed.

I think they may be in the security Center. I was wondering how to save these logs to a storage account for long term retention.

I hope this makes sense.

Łukasz D. Tulikowski
  • 155
  • 4
Norrin Rad
  • 353
  • 1
  • 4
  • 12
  • Can you be clearer on what you are trying to log, is this security event logs from VMs or something in Azure? – Sam Cogan Nov 18 '19 at 12:28
  • @SamCogan Hi Sam, I need to audit successful and failed login attempts for azure VMs, and save the data into a storage account for long term retention, I thought it would be as simple as configuring data sources, but apparently not – Norrin Rad Nov 18 '19 at 12:30

1 Answers1

0

If you just need to get teh security logs then you will need to configure Log Analytics to pull in that log under the data sources section. Then you will need to onboard the required VMs into log analytics to get the agent installed. At this point you will then see this data flow into log analytics.

There is however not an easy way to export this data from Log Analytics to storage. You would have to run a script in something like Azure Functions or Automation to do this. Example here.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • thanks Sam, will I need the intelligencepack installed, at the moment it comes up with the error and when I run get-azinsightsoperationintelligencepack it says security not installed. – Norrin Rad Nov 18 '19 at 13:41
  • You need to install the log analytics agent. This should be done when you onboard the machine to the workspace through the portal. – Sam Cogan Nov 18 '19 at 13:42