1
00:00:01,040 --> 00:00:04,740
I'm actually experiencing some issues on this machine.

2
00:00:04,740 --> 00:00:08,980
It crashes when I click Select Computers, so I'm going to have to walk

3
00:00:08,980 --> 00:00:12,050
you through the rest of this. You're going to select the remote

4
00:00:12,050 --> 00:00:15,950
machine that you've configured, and then lastly, you can optionally

5
00:00:15,950 --> 00:00:20,950
filter to grab only particular logs, particular kinds of events.

6
00:00:20,950 --> 00:00:24,940
If you need to change the credential, that's what the Advanced button is.

7
00:00:24,940 --> 00:00:26,970
And at that point, you're ready to go.

8
00:00:26,970 --> 00:00:31,110
I've got one collector initiated subscription already set up, and you

9
00:00:31,110 --> 00:00:34,290
can see its metadata here. One source computer,

10
00:00:34,290 --> 00:00:39,620
it's dc1, Collector Initiated where I'm going to the Forwarded Events log. If I

11
00:00:39,620 --> 00:00:43,890
double‑click that, it will allow us to get into the query filter. And you can

12
00:00:43,890 --> 00:00:48,430
see I'm just saying Any time, Event level can be,

13
00:00:48,430 --> 00:00:50,330
I forgot to actually select this.

14
00:00:50,330 --> 00:00:53,470
So let me choose, probably you're not going to want

15
00:00:53,470 --> 00:00:55,480
to do everything like I am here,

16
00:00:55,480 --> 00:00:58,800
but you get the idea. You choose the verbosity of

17
00:00:58,800 --> 00:01:01,330
the logging, By log or By source.

18
00:01:01,330 --> 00:01:05,930
You could just say show me particular event sources if you're looking at

19
00:01:05,930 --> 00:01:10,370
a particular service. You might want to just subscribe to occurrences of

20
00:01:10,370 --> 00:01:13,640
a particular event ID number or keyword.

21
00:01:13,640 --> 00:01:17,340
This is actually a pretty cool technology, no question about it.

22
00:01:17,340 --> 00:01:21,080
So from here on out, we could create some artificial traffic.

23
00:01:21,080 --> 00:01:25,380
Like let me do a mstsc to open up a Remote Desktop connection

24
00:01:25,380 --> 00:01:30,920
against dc1, and let me do some failed logons. That didn't

25
00:01:30,920 --> 00:01:34,240
work, so let me try another account.

26
00:01:34,240 --> 00:01:37,470
Okay, so that should trip off some security‑related events.

27
00:01:37,470 --> 00:01:40,710
Now remember, in a collector‑initiated subscription,

28
00:01:40,710 --> 00:01:44,320
this machine is periodically going to query dc1 and

29
00:01:44,320 --> 00:01:46,440
ask, do you have any events for me?

30
00:01:46,440 --> 00:01:50,550
And it looks like we haven't had a refresh In a little while here

31
00:01:50,550 --> 00:01:54,500
because we haven't yet seen, let's see, 1221. It looks like these are a

32
00:01:54,500 --> 00:01:58,820
couple of minutes stale. But these are, in fact, all coming from the

33
00:01:58,820 --> 00:02:03,440
security log. And you can see here that the computer that's generated

34
00:02:03,440 --> 00:02:07,540
these events is dc1.timw.info.

35
00:02:07,540 --> 00:02:09,980
The forwarded events is all well and good.

36
00:02:09,980 --> 00:02:12,730
But like I said in the theory part of this lesson,

37
00:02:12,730 --> 00:02:16,370
you really want to start thinking about centralized event log

38
00:02:16,370 --> 00:02:19,580
management. And we can do that if you're already in Azure by

39
00:02:19,580 --> 00:02:21,570
using the Log Analytics workspace.

40
00:02:21,570 --> 00:02:24,770
So you create one of these resources in your subscription, and you come

41
00:02:24,770 --> 00:02:30,040
down to Agents management. And you can onboard your local servers by

42
00:02:30,040 --> 00:02:34,420
installing the Windows or Linux agent on those machines, providing the

43
00:02:34,420 --> 00:02:37,340
workspace ID and one of the two keys.

44
00:02:37,340 --> 00:02:38,020
Now don't worry.

45
00:02:38,020 --> 00:02:41,560
I regularly regenerate my keys, so I'm not concerned about having

46
00:02:41,560 --> 00:02:45,250
these in plain text. But in your environment, you definitely want to

47
00:02:45,250 --> 00:02:49,120
make sure that you don't leak this data, all right? So that would

48
00:02:49,120 --> 00:02:51,100
allow you to onboard those machines.

49
00:02:51,100 --> 00:02:53,520
Now it seems to me that this machine I'm teaching on,

50
00:02:53,520 --> 00:02:56,340
I've already onboarded to Log Analytics.

51
00:02:56,340 --> 00:02:59,800
I can verify that by opening up Control Panel and seeing if

52
00:02:59,800 --> 00:03:03,630
I have, which I do, a Microsoft Monitoring Agent Control

53
00:03:03,630 --> 00:03:05,540
Panel. If I go to Log Analytics,

54
00:03:05,540 --> 00:03:09,040
I can verify that the Microsoft Monitoring Agent has

55
00:03:09,040 --> 00:03:12,690
successfully been configured, and I am handshaked, if that's

56
00:03:12,690 --> 00:03:16,640
the word, handshook, into that workspace ID.

57
00:03:16,640 --> 00:03:20,360
So I'm sending Telemetry remote measurement data.

58
00:03:20,360 --> 00:03:23,530
Now, what is that data that's going from these agents?

59
00:03:23,530 --> 00:03:26,740
Well, that's what Agents configuration is all about.

60
00:03:26,740 --> 00:03:30,380
And particularly, I want to draw your attention to these first two tabs,

61
00:03:30,380 --> 00:03:34,310
Windows event logs and Windows performance counters.

62
00:03:34,310 --> 00:03:38,870
Initially, nothing is collected, so you choose which log or

63
00:03:38,870 --> 00:03:42,430
logs you want, and you can remove any that you may not need

64
00:03:42,430 --> 00:03:44,740
anymore, as you can see here.

65
00:03:44,740 --> 00:03:48,280
So right now, I've cut this down to application system.

66
00:03:48,280 --> 00:03:52,130
What if I want to add security? I can filter the event logs. Whoops,

67
00:03:52,130 --> 00:03:53,860
that's to filter the active list.

68
00:03:53,860 --> 00:03:59,710
Let me go to Add windows event log and go to Security and bring that

69
00:03:59,710 --> 00:04:03,620
guy in. And you can adjust the degree of verbosity that you want to

70
00:04:03,620 --> 00:04:09,180
see. And that would immediately, during the next update cycle, that

71
00:04:09,180 --> 00:04:13,610
change would immediately be honored on the basis of your agent

72
00:04:13,610 --> 00:04:17,580
systems. And notice that we can also do the same thing for collecting

73
00:04:17,580 --> 00:04:19,240
performance counters.

74
00:04:19,240 --> 00:04:24,220
We can add performance counters in from the list, provider list, and

75
00:04:24,220 --> 00:04:27,340
then we can choose our sample rate in seconds.

76
00:04:27,340 --> 00:04:31,760
And so this is a great way for us to leverage centralized

77
00:04:31,760 --> 00:04:35,220
management of not only our Windows event logs, but also

78
00:04:35,220 --> 00:04:37,950
Performance Monitor counters from Azure. And then if you're

79
00:04:37,950 --> 00:04:41,040
wondering, well, how do you report on this data?

80
00:04:41,040 --> 00:04:45,230
What you do is use the Kusto Query Language. If you go down to Logs,

81
00:04:45,230 --> 00:04:51,540
that will bring us into this query interface where we can see all of

82
00:04:51,540 --> 00:04:55,120
that log data surfaced as these virtual tables.

83
00:04:55,120 --> 00:04:56,190
Let me show you what I mean.

84
00:04:56,190 --> 00:05:01,580
If I go to Queries, and then if I come down to Virtual Machines, let me

85
00:05:01,580 --> 00:05:07,000
try to find one that's interesting here, a lot of IIS stuff. I was trying

86
00:05:07,000 --> 00:05:13,960
to look just for CPU stuff, CPU entries. What data is being collected?

87
00:05:13,960 --> 00:05:16,100
Virtual Machine free disk space.

88
00:05:16,100 --> 00:05:18,840
Okay, well how about I load that into the editor?

89
00:05:18,840 --> 00:05:24,340
The Kusto language allows you, it's a centralized, it's a standardized, really,

90
00:05:24,340 --> 00:05:29,380
query language that has some similarities to Splunk, has some similarities to

91
00:05:29,380 --> 00:05:35,170
SQL The idea is that you find which virtual table contains the log data that

92
00:05:35,170 --> 00:05:39,660
you're looking for, and then you can fine tune those results using the pipe

93
00:05:39,660 --> 00:05:44,330
character along with different keywords. And so this one is looking at virtual

94
00:05:44,330 --> 00:05:50,770
machine available memory, and you can adjust the time range, either in the

95
00:05:50,770 --> 00:05:55,200
query, this is saying in the last hour, or we can adjust it up here

96
00:05:55,200 --> 00:05:59,280
graphically. And that's going to assume that you have data that's been

97
00:05:59,280 --> 00:05:59,920
aggregated.

98
00:05:59,920 --> 00:06:03,680
I just very recently, whoops! That's looking at a particular VM

99
00:06:03,680 --> 00:06:09,060
too. I just recently onboarded some machines, so I'm not surprised

100
00:06:09,060 --> 00:06:10,930
that it's not coming back with data.

101
00:06:10,930 --> 00:06:16,160
But anyway, it's worth your time and worth your while to get up

102
00:06:16,160 --> 00:06:18,970
to speed with KQL for your career's sake.

103
00:06:18,970 --> 00:06:22,480
And if you plan to take other Azure exams, it'll also be relevant

104
00:06:22,480 --> 00:06:26,370
there. My Pluralsight colleague, Robert Cain, has created at least

105
00:06:26,370 --> 00:06:33,000
two excellent Pluralsight courses on KQL, so I strongly suggest that you check those out.