Microsoft Azure AZ-801 — Section 17: Monitor Windows Server by using Windows Server tools and Azure services Part 3
104. Manage event logs
Now, one of the most common and probably one of the oldest systems that we have had in the Windows world when it comes to monitoring things is actual logs. Right. And the system that Microsoft has had for so long is called Event Viewer. Event viewer is our event log or system log or sis log. There’s a lot of people call it in the other operating systems. It’s very similar concept to that. And event viewer is where we gather our different log data, whether it be just messages that are letting us know something went through successful. It could be error messages, warning messages or critical messages that all show up inside the event log.
Let’s take a look at the event viewer here on server. Probably the easiest way to get into the event viewer is just to right click the Start button here and you can just jump right into event viewer. All right. Once you get into event viewer. You’ll find the different logs under the Windows log folder here. If I expand that out, you can see the various logs that are available.
First log we have is called the application log, and this is going to show us any type of application related events that have occurred, whether it be an application that’s installed on the computer and running and starting shutting down, not working right errors, warnings, whatever they may be, that’s going to be your application log. And it’s going to log all the events regarding that.
Now, when you look at an event, you have different levels of events, again, information, messages, which are just standard messages that don’t necessarily mean anything bad going on. You have warning messages, which is letting you know something out of the ordinary is going on. You’ve got error messages which are letting you know something aired. You got critical messages which are usually a performance related event. And then you also have you have an audit messages as well, which will be involved in the security log. I’ll show you in a second. But when you click on an event right here in the middle of the screen, it tells you a little bit about that event. You can also double click on the event to bring that to the center of the screen. You can see the log name, the source event ID number. The event ID numbers can be helpful because you can go out to search engines like Google and research what the event ID involves.
For example, if I want to look at some errors here, here are some errors I can go out to. Google are being and just look up an error event 8193 and you’ll probably find that there are different entries out there of people talking about this event and they talk about how to fix it and what calls is it. There’s even some official stuff on Microsoft’s website where they talk about it. There’s been various websites over the years that are dedicated to these event ID numbers as well. But don’t be shocked if you see errors. I don’t think I’ve ever in my entire life of working with when the Windows operating systems now for 20 something years, I’ve never seen a Windows operating system that didn’t have some errors. There’s always some errors there. And a lot of times it’s because you have different services that are starting to soon when the computer boots up. But anyway, I’m. You can, like I said, double click and you can see some information about it and toggle through the various events to discover what kind of errors and warnings and messages and things you’ve got. You can sort by level, which is what I did. I’m sought by date time and saw by the source the event ID. This is various things you can sort by. Let’s look at some of the other logs.
The next log is the security log. This is also called the audit log in windows. This windows because you have a group policy, the group policy is automatically turned on for auditing. Your system is auditing pretty much any time your user account does anything.
So, if you successfully do something using your user account or you fail to do something user using your user account, it’s going to log it. A key symbol means that something you did successfully went through and a lock symbol means that something you did not go through successfully means it would have been like an access denied or something along those lines. But this is the audit log. All right. Probably the most annoying thing about logs in general is just the sheer amount of things that it logs. So, I’m going to show you how to filter in just a moment. I’ll show you how we can we can kind of filter down what we’re looking at.
Then you have the setup log over here. The setup log is for anything you’re installing. So, if you’re installing some type of piece of software or even updates and things like that, that’s what the setup log is going to be logging. All right.
Then you got the system log. This is pretty much everything else. So, anything and everything involving your operating system is going to be logged here. All right. So, things starting up, things shutting down, things throwing warnings or error messages, all of that’s going to show up in the system log. All right.
Now, the other thing about logs is that if you right click a log, you can go to properties and you can decide where the logs are going to be stored. You can also set the log size and what to do if the log maxes out in size. So, right here it says override events as needed, oldest events first. So, if the lock the log maxes out, then it’s going to start overriding the older events. You’ve got archive the log when it’s full, do not override events. So, that just means that it’ll it won’t, it won’t overwrite the log, it’ll just add a number after it and it’ll just keep creating logs, log files over time and then you can say do not overwrite logs, you have to clear the log manually.
At that point it’ll just stop logging and you would have to manually clear the log. As you can see, though, the default is override events as needed. All right. And so this next one here, this is called forwarded events.
Now, the forwarded events is related to something called subscriptions. The forward events allow you to subscribe to the logs from another machine. So, if I go down here and I click on subscriptions, you’ll see that I have to turn on a service called the Windows Event Collector Service.
So, I’ll just click yes to that. And then let’s say I wanted to gather logs from my domain controller. I’m sitting at my NYC-SVR1 right now, right? If I minimize everything and let’s say I want to grab events from my let’s say I want to grab events for NYC-DC1 so I could right click that and I can say create a subscription, give it a name, I’ll call it NYC-DC1 events and then to two options here. Collector initiated or source initiated. The collector is the computer that is collecting logs in this case, my machine Server1 would be the collector. I’m wanting to collect logs from the DC, so the DC would be called the source computer.
Any device that’s generating the events that you’re trying to collect, that’s called the source computer and the device that you’re going to be receiving. The events on collecting the events obviously is called the collector, and there’s two options here. You say collect your initiated where this machine just goes out and gets the events or source initiated where that computer sends you the events I’m going to do collect your initiated select computer, add domain computer and we would say in y c dc one. And let’s just run a test and it says connectivity is working. You do have to make sure that when Ram is running on that other computer for this to work, which it is on my other computer, and if you’re worried that it’s not, you can go over to the other computer and go to command prompt and just run within our space quick config and that will make sure that when IRM is enabled, but it is enabled on that other computer.
Now, I can select the events I want., maybe, critical error messages and warnings. I can choose what logs I want to monitor and I could also adjust any of this stuff here. And from that point on, at that point I am. I’ve selected the events that I wanted. Right. Let’s see. Critical error warnings. That’s all good. Selected my computer. I don’t think. I don’t think I clicked. Okay, there we go. Click. Okay. And now click. Okay. And there you go. It will now start collecting events and the events will show up in this forwarded events log. Now, I will warn you that sometimes this can take 15 to 30 minutes before it takes effect.So, whenever you do enable this, just be aware it’s not going to instantly start populating this. All right.
The other thing I want to show you is filtering one thing. Of course, again, that’s annoying about logs is that it just the sheer amount of stuff that it grabs so you can generate a filter over here. But one thing I don’t like about generating a filter here is it’s temporary. And let’s say I want to create a filter that’s always going to be there for me. You can do that under custom views.
So, if I come up here to custom views, I can right click and I can say create a custom view and I’ll say critical errors and warnings and I’ll say show me all the logs. And I could even do event ID numbers based. I could base it on users based on computers. There’s various things here I could do, and then I’m going to click Okay and I’ll call this important events. Now, it’s going to grab all the errors, warnings and critical messages for all my logs I can close out of the event viewer. I can reopen the event viewer and that custom view is still available. So, it’s the same thing as doing a filter. It’s just one thing it’s good about doing. The custom view is it’s always available. All right. All right. Well, hopefully that gives you a good understanding now of how the event here works on pretty much not just server, but all versions of Windows.
105. Deploy Log Analytics agents
I’d like to show you now how we can send log information from a server into Azure.
To do that, we’re going to need to have what’s called a log analytics workspace. So, here we are on portal.azure.com, and I’m just going to click the menu button and go to all services. Uh, once I get into all services, I’m just going to search for the keyword up here under filter services. I’m going to search for the keyword log analytics. All right.
So, we’ll just put that in and it’s going to narrow it down to log analytics, workspaces. All right. And so we’ll click on that log analytics workspace. Okay, go into that. And then from there, we can create a log analytics workspace.
One thing I will warn you about this does use some storage in Azure. So, you might want to it’s not super expensive, but you might want to check out the Azure calculator for determining what the cost is going to be and all of that.
So, here I am, I just click to create a log analytics workspace. I’m just going to click to create a work group or a resource group. I’m going to call it log data. RG for Resource Group and I’m just going to give it a name and I call it my log. And lytic. The work space. All right. And it’s just verifying that name is OC, which it is. I’m going to do this in East US. I’m going to click through and create. And it’s validating and I’m just going to click to create. And as usual, I will pause the recording while we’re waiting on this to get created. All right. Once this is installed, I’m going to click Go to Resource. That’s going to bring me into the log analytics workspace. All right. And then I’m going to click on Agent management. Okay.
Now, I’m going to go right here under Log Analytics agent instructions, and I’m going to download the Windows agent, the 64 bit Windows agent here.
So, we’ll click that. And as you can see, it’s downloading it. And as soon as that’s done, I’m going to go ahead and execute that and we’ll go ahead and just install that on our services. You can probably imagine the point of the agent is to have some software that’s going to create a connection between your on-premises server as well as Azure and the things you’re going to need to be aware of, of course, is right here. The workspace ID, the primary key in a secondary key, which the primary key is really what we’re going to care about here, but we’re just letting that letting that get done. So, it’s just finishing up that installation or that download.
Now, I’m going to go ahead and execute it. So, I just clicked on the open file option here. All right. And preparing to install. Here is the little wizard. So, we’re going to click Next. I’m going to agree to their terms, take the default installation area and it’s asking me if I want to connect the agent to Azure. Log Analytics, right. Connects the agent to the Microsoft Azure Log Analytics service and lets you choose the workspace and register the file.
So, I’m going to connect agents to System Center Operations Manager. I do not have system center operation manager, which is a downloadable or an installed system center product that you’d have to buy. So, we don’t have that. So, we’re going to click Next. All right. And this is where I’m going to plug in the information, right? So we’ll go here. We’ll copy. And we’re just going to paste that in. Copy our key. We’re going to paste that in. All right. We’re doing Azure commercial. We’re going to click Next. And I don’t want to do updates because this is just a lab environment and then we’re going to install the monitoring agent. All right. And I’ll just let that get installed. All right. And that’s it. We’ve now got the agent installed on our server. All right. It does take some time for all this to populate. And you can refresh your web browser and all that, but the agent is now officially installed onto our server. Um. Like I said, I’m refreshing my browser, but usually it takes a little while before it. As always with Azure, you’ve got to give it a little bit of time. Oh, there it goes. It actually happened pretty quickly today. Sometimes it can take 15 or 20 minutes before the server will actually start showing up as being connected.
You know, just be aware of that If you’re ever if and when you’re doing this that you don’t try to rush things too fast because it definitely it definitely does take some time. All right. The only other thing I’ll mention here is you’ll see the Microsoft monitoring agent is installed. That’s just a confirmation that this has been this has been set up. All right. And that’s what I want to show you in this video is just how to get the agent, how to get the workspace set up and how to get the agent installed.