question

HHCHIA-0587 avatar image
0 Votes"
HHCHIA-0587 asked PochecoWP commented

VM Extension Azure Diagnostics unable to stream windows event log to Event Hub with errors in Infrastructure Log in Storage Account

hi!
i am trying to stream windows event logs to Event Hub so that i can subscribe my SIEM to it.
windows event logs are streaming to the Storage Account fine - still getting the windows log even though i have this issue.

i have added the Sinks clause in the public settnigs and also in the protected settings and it is now throwing errors into the infrastructure log configured in the storage account used by the Azure Diagnostics VM Extension which is cryptic to me - i have no clue where to check anymore.

Account moniker must be set if passing in the EventHub namespace by name ...
Failed to create a publisher for event WindowsEventLogsTable
Failed to initialize real time publisher for event log event eventName=WindowsEventLogsTable query=Security!*[System[(band(Keywords,13510798882111488))]]

azure-monitorazure-virtual-machines-extension
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @,
Thanks for the ask and using the Microsoft Q&A platform .
Can you please share more info on which documernt are you following ? Are you following this document ?

Please do let me know how it goes .
Thanks
Himanshu


0 Votes 0 ·

yes that is the one i followed.
I have the Sinks and eventhub configured in the public-settings and i have the event hub configured in the private settings.
the logs are streamed to the storage account but they are not streamed to the Event Hub.
From the infrastructure logs sent to the storage account, the errors are:
Account moniker must be set if passing in the EventHub namespace by name ...
Failed to create a publisher for event WindowsEventLogsTable
Failed to initialize real time publisher for event log event eventName=WindowsEventLogsTable query=Security!*[System[(band(Keywords,13510798882111488))]]

0 Votes 0 ·

1 Answer

HHCHIA-0587 avatar image
0 Votes"
HHCHIA-0587 answered PochecoWP commented

the error was in the EventHub configuration. Note that URL needs to include HTTPS://

"EventHub": {
"Url": "https://cccEventHub.servicebus.windows.net/siemeventhub",
"SharedAccessKeyName": "siemEventHubSAS",
"SharedAccessKey": "ccccccccccccccccccccccccccccccccccccccccccccc"
}

It is correctly documented in the sample but the description in the same article https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-stream-event-hubs was misleading:
Url of the event hub in the form <event-hubs-namespace>.servicebus.windows.net/<event-hub-name>;.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @HHCHIA-0587 ,
I was wondering if you could please share the step-by-step that you followed to archive the successful streaming to Event Hub from the VM. I read the article but it is not clearly explained.
I already tried to activate Diagnostic Setting on the VM (by default streamed to Storage account), but I don't know what to do now.

I'd really appreciate your help.

Kind regards.

0 Votes 0 ·