Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt

5 min read

Introduction

Windows Admin Center (WAC) is a flexible, locally-deployed, browser-based management platform and solution. It contains core tools for troubleshooting, configuration, management and maintenance for Windows Server, Windows Client, Software-Defined Storage (SDS), Software-Defined Network (SDN), Microsoft Hyper-V Server, and more.

Microsoft announced several Azure integration services with Windows Admin Center, such as Azure Backup, Azure File Sync, Azure Network AdapterAzure Site Recovery and more. Please check the following document for the complete list of Azure integration services.

In this blog post, I will show you how to collect the events that Windows Admin Center produces into Azure Log Analytics workspace.

Prerequisites

The prerequisites are very simple as follows:

  1. Make sure you are running Windows Admin Center (WAC) Version 1809.5 or later.
  2. Create Azure Log Analytics workspace. Please check the following article to see how to create a Log Analytics workspace in Azure.
  3. Install the Microsoft Monitoring Agent on Windows Admin Center.
  4. Collect Windows Admin Center event logs.

Once Windows Admin Center is deployed in your environment, you are ready to start.

Install Microsoft Monitoring Agent on Windows Admin Center

Before installing the Microsoft Monitoring Agent for Windows, you need to get the workspace ID and key for your Log Analytics workspace. This information is required by the setup wizard to properly configure the agent and ensure it can successfully communicate with Log Analytics.

  1. Open the Azure portal, click All services found in the upper left-hand corner. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics.
  2. In your list of Log Analytics workspaces, select the workspace that you created earlier. Select Advanced settings.
  3. Select Connected Sources, and then select Windows Servers. Copy the value of Workspace ID and Primary Key as shown in the following screenshot, you will use them in the next step. In this example, I don’t have any Windows computer connected yet.

Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt 1

Within the same blade, click and Download Windows Agent (64 bit).

  1. Run MMASetup-AMD64.exe setup to install the agent on Windows Admin Center computer.
  2. On the Welcome page, click Next. On the License Terms page, read the license and then click I Agree.
  3. On the Destination Folder page, you can change or keep the default installation folder and then click Next.
  4. On the Agent Setup Options page, choose to Connect the agent to Azure Log Analytics and then click Next. Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt 2
  5. On the Azure Log Analytics page, paste the Workspace ID and Workspace Key (Primary Key) that you copied from the previous step. If the computer should report to a Log Analytics workspace in Azure Government cloud, select Azure US Government from the Azure Cloud drop-down list. In this example, we are using Azure Commercial. Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt 3
  6. If the computer needs to communicate through a proxy server to the Log Analytics service, click Advanced and provide the URL and port number of the proxy server. If your proxy server requires authentication, type the username and password to authenticate with the proxy server and then click Next.
  7. On the Ready to Install page, review your selections and then click Install.
  8. On the Microsoft Monitoring Agent configuration completed successfully page, click Finish.
  9. Once completed, the Microsoft Monitoring Agent appears in Control Panel. You can verify that the agent is connected to Log Analytics. When connected, on the Azure Log Analytics tab, the agent displays a message stating: The Microsoft Monitoring Agent has successfully connected to the Microsoft Log Analytics service as shown in the following screenshot. Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt 4

Collect Windows Admin Center Events

Now that you have Windows Admin Center registered to Microsoft Azure and connected to Azure Log Analytics, you ready to collect events from the Windows Admin Center. To do so, please follow the steps below:

  1. Open the Azure Portal and browse to Log Analytics workspace, select your workspace > Advanced settings > Data > Windows Event Logs.
  2. Add the Microsoft-ServerManagementExperience channel as shown in the following screenshot. Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt 5
  3. Click Save at the top of the page to save the configuration.
  4. Once the configuration is successfully saved, click OK.

View Windows Admin Center Events

Now that you have enabled data collection, let’s run a simple log search example to see some data from the Windows Admin Center computer.

  1. Open the Azure Portal, click All services. In the list of resources, type Monitor. As you begin typing, the list filters based on your input. Select Monitor.
  2. On the Monitor – Overview navigation menu, select Logs and then select a workspace where Windows Admin Center is connected to.
  3. On the Log query pane, in the query field type Event and then click Run.
  4. Collected events are returned in the default table view, and you can see how many total records were returned this includes all events level such as Information, Warning, and Error. You can filter any column and change the Time range. Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt 6
  5. For example, the best way to get only the latest 10 error events for the last 3 days is to use where and top, which sorts the entire table on the Windows Admin Center server side and then returns the top error records as shown in the following example:
    Event
    | where (EventLevelName == "Error")
    | where (TimeGenerated > ago(3days))
    | top 10 by TimeGenerated

    Collect Windows Admin Center Event Logs Into #Azure Log Analytics @ServerMgmt 7

  6. Last but not least, you can create custom alerts to get notified when something goes wrong. For more information on how to create custom alerts, please check the following article.

That’s it there you have it!

Summary

In this article, I showed you how to collect the events that Windows Admin Center produces into Azure Log Analytics workspace for monitoring with Azure Monitor, so you can explore the logs collected by Log Analytics by generating a query using the Kusto query language, you can also create useful alerting. For more information on how to get started with queries in Log Analytics, please check the following article.

I hope that Microsoft will look in the future for on-premises servers that are on-boarded in Windows Admin Center so we can collect their events into Azure Log Analytics as well.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 577 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.