Windows-itpro-docs: Where are the data collected?

Would love to see an actual step-by-step configuration example for collecting and viewing the logs. The Reporting CSP page does not provide all information to get started. At least not for me. Regards

@Martony78 sorry for delay and thanks for the feedback. I'm passing along info from our engineering team. The logs are stored locally under Application and Services LogsMicrosoftWindows, click EDP-Audit-Regular and EDP-Audit-TCB. To consolidate them, you can use Windows Event Forwarding. This blog explains how to set that up: https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

In Azure, it looks like you can collect them in Azure Monitor: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

I'll pass along any other engineering input and try to get a blog post or docs topic to show an example.

@osari76 Thanks Oktay, you're right. We'll try to add more on this.

@Martony78 I meant to add that retrieving the logs in Intune requires a custom profile. See the Reporting CSP doc for an example: https://docs.microsoft.com/en-us/windows/client-management/mdm/reporting-csp

I'll try to get more clarity on the steps.

Great! Right now I'm collecting the EDP eventlogs with Microsoft Monitoring Agent and save them to Azure Monitor (Log Analytics) for further analysis. I know how to implement a custom device configuration profile with OMA-URI but can't get Reporting CSP working. So hope you can get more clarity on the steps :)

@osari76 I'm still trying to get the correct info but I've been told Reporting CSP will not actually retrieve data from log analytics. Sorry to steer you wrong but don't want you to waste effort.

Got any suggestions ?

Sent from my iPhone

On Jan 27, 2019, at 9:06 AM, Oktay Sari notifications@github.com wrote:

Would love to see an actual step-by-step configuration example for collecting and viewing the logs. The Reporting CSP page does not provide all information to get started. At least not for me. Regards

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

@R2D2components does the Log Analytics documentation help? https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview

any update around the step by step documentation how to grab log through reporting CSP?

@lensoft Reporting CSP won't report data from Log Analytics. But Log Analytics has it's own query ability. Can you try that? https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview

Unfortunately, that's all I've been able to confirm so far.

@mypil can you start tracking this? I think we need to add this to the docs but it requires more testing and engineering input.

@officedocsbot assign @mypil

@Justinha - Sure, I can do that. Please let me know if you need me to assign someone to create the PR.

Thank you.

Hello,
Same here, I couldn't make "Reporting CSP" working, would be great to have more details about this setup.

But I could make it work as follow:

1. I do have Log Workspace integrated for Device Health, Azure Audit etc.
2. Using this or can create new Log Workspace, go to Advanced Settings, download Microsoft Monitoring Agent: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
3. In Log Analytics->Advanced Settings, go to Data, in Windows Event Logs add logs to use:
   Microsoft-Windows-EDP-Application-Learning/Admin
   Microsoft-Windows-EDP-Audit-TCB/Admin
4. Install this Microsoft Monitoring Agent to my WIP device using Workspace ID and Primary key info from "Log Analytics->Advanced Settings"
5. Now if i remove WIP or add WIP protection to file, this actions uploaded to my Log Analytics workplace and I can do a query (look in "Events" via Logs query)

Minus points found that there is no predefined dashboards/alerts for this setup and that Microsoft Monitoring Agent don't have MSI for Intune.

@lightupdifire thanks for sharing these steps and suggestions for where to improve! We'll follow up with engineering for validation and review. In the meantime, would you be kind enough to submit the steps as a pull request so you can be listed as a contributor? And just to reiterate for everyone, the Reporting CSP is not supported by Intune.

@Justinha, never did that before :) but I will try, as soon as have some time.

@Justinha - I can help assign someone to create a PR on the suggested steps that @lightupdifire provided. Would you want this right now or should we wait until there's more information from the engineering team?

@mypil No rush, it's fine for @lightupdifire to get to it whenever is convenient.

@Justinha, I try deploy first this Microsoft Monitoring Agent using Intune, to make sure we have full steps,

I have a feeling that authors of Microsoft Monitoring Agent try reject use of Microsoft Monitoring Agent via Intune:
https://github.com/MicrosoftDocs/azure-docs/issues/31097

If Microsoft Monitoring Agent not supported to be run on any Windows 10 device / not supported to be used as a product for WIP log analyze, then how else we can collect WIP logs?

@Justinha - Any updates on this?

@mypil @Justinha
Please proceed with your own resources for pull request etc. I have too many projects and limited time, so I would better skip "pull request" from my side.
But I do confirm that by deploying Microsoft Monitoring Agent with steps shared above, I can see in Azure logs now for:

1. WIP Log analyze
2. WIP App Learning (possibly no need to deploy Device Health for this)

@joinimran - as discussed, please create the PR for this issue. Thank you.

Hello,
Same here, I couldn't make "Reporting CSP" working, would be great to have more details about this setup.

But I could make it work as follow:

1. I do have Log Workspace integrated for Device Health, Azure Audit etc.
2. Using this or can create new Log Workspace, go to Advanced Settings, download Microsoft Monitoring Agent: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
3. In Log Analytics->Advanced Settings, go to Data, in Windows Event Logs add logs to use:
   Microsoft-Windows-EDP-Application-Learning/Admin
   Microsoft-Windows-EDP-Audit-TCB/Admin
4. Install this Microsoft Monitoring Agent to my WIP device using Workspace ID and Primary key info from "Log Analytics->Advanced Settings"
5. Now if i remove WIP or add WIP protection to file, this actions uploaded to my Log Analytics workplace and I can do a query (look in "Events" via Logs query)

Minus points found that there is no predefined dashboards/alerts for this setup and that Microsoft Monitoring Agent don't have MSI for Intune.

@lightupdifire Can you please confirm these are the steps for collecting logs for Azure Event Monitor?

@joinimran

1. Use existing or create new Log Analytics Workspace
2. In Log Analytics->Advanced Settings, go to Data, in Windows Event Logs, add logs to receive:
   Microsoft-Windows-EDP-Application-Learning/Admin
   Microsoft-Windows-EDP-Audit-TCB/Admin
   (Make sure click on Save button.)
   The Event logs names can be found if using "Windows Events", go to Events folder and go to Properties of the event (Application and Services LogsMicrosoftWindows, click EDP-Audit-Regular and EDP-Audit-TCB)
3. Download Microsoft Monitoring Agent: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
4. To get MSI for Intune installation, as stated in Azure Monitor article, please extract: MMASetup-.exe /c /t:
5. Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. Workspace ID and Primary key info can be received from "Log Analytics->Advanced Settings"
6. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1
   (Replace & received from step 5. In installation parameters, don't place & in quotas "" or '')
7. After agent deployed, data will be received within some 10 minutes
8. To search for logs, go to Log Analytics Workspace->Logs, in search type: Event
   To filter per log, use as example:
   Event
   | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"

And I would add then articles per step where is needed, like for more info see:

1. How to deploy app via Intune
2. How to create Log workspace
3. How to use Microsoft Monitoring Agents for Windows

Also extra log can be added for step 2:
Microsoft-Windows-EDP-Audit-Regular/Admin
But data of this log can be very "frequent repeating", so just can add as Optional

Thanks, @lightupdifire for sharing details. I have reproduced all these steps and they are working fine. I will add these in the doc and will create PR for the same.
Thanks.

@Martony78 @lightupdifire - Thank you for submitting feedback.

From our understanding, the issue has been resolved but it may take a few days for the merged content to appear in the article. If you feel it hasn't been resolved, please re-open this issue.

Thank you for your contribution to make the docs better! Much appreciated!

It is ok you can close this issue. Thank you

@officedocsbot close