i am trying to stream windows event logs to Event Hub so that i can subscribe my SIEM to it.
windows event logs are streaming to the Storage Account fine - still getting the windows log even though i have this issue.
i have added the Sinks clause in the public settnigs and also in the protected settings and it is now throwing errors into the infrastructure log configured in the storage account used by the Azure Diagnostics VM Extension which is cryptic to me - i have no clue where to check anymore.
Account moniker must be set if passing in the EventHub namespace by name ...
Failed to create a publisher for event WindowsEventLogsTable
Failed to initialize real time publisher for event log event eventName=WindowsEventLogsTable query=Security!*[System[(band(Keywords,13510798882111488))]]