Why do I need logs?
The purpose of this guide is to configure the collection of Logs in an Intune environment. By default the log analytics you enable in Intune does not give you much information beyond auditing basic things. With this approach we can record any desired log for all of our machines. There is a companion video for this setup https://youtu.be/Uw3GjMnSXbI.
Enabling Log Analytics
- Navigate to endpoint.microsoft.com
- Select Reports
- Select Diagnostic Settings
- Select Add Diagnostic setting
- Select all options under Log
- Select Send to Log Analytics workspace
- Select a Log Analytics workspace
- You can archive to a storage account to keep data longer
Now that we have the log analytics workspace configured we can configure the Microsoft Monitoring Agent (MMA)
Configuring the Microsoft Monitoring Agent
- Navigate to portal.azure.com
- Navigate to your log analytics workspace
- Select Advanced Settings
- Select Data
You can now add any event log you wish to collect. Begin typing a log you wish to collect and it should auto populate. If the log you wish to use does not appear you can type in the full log path and it will be added. I’ve included an example of a few logs below, please bare in mind that if the log is not enabled by default you will still need to enable that log separately.
- Navigate back to your log analytics workspace
- Select Agents management
- Copy down the Workspace ID and Primary Key
- Select Download Windows Agent (64bit)
- Create a folder and put the MMA-Setup-AMD64.exe inside of it
- Open command prompt and run MMA-Setup-AMD64.exe /C in the directory your install exists
- Extract the contents to your desired folder
- Download the repo located Github-IntuneContentPrep
- Extract and run the IntuneWinAppUtil.exe
- Specify the source folder
- Specify the setup file (Setup.exe)
- Specify an output folder
Creating the MMA app deployment
- Navigate to endpoint.microsoft.com
- Select Apps
- Select Windows
- Select Add
- Select Windows app (Win32)
- Select the app package from the output folder you created in the previous steps
- Change the following
- Name : Microsoft Monitoring Agent
- Publisher: Microsoft
- Logo: Add any logo you’d like
- Select Next
- Set the install command to:
setup.exe /qn NOAPM=0 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID="WORKSPACEID" OPINSIGHTS_WORKSPACE_KEY="KEYSAVED" AcceptEndUserLicenseAgreement=1" - Change the WorkspaceID and WorkspaceKey to the ones you recorded earlier
- Paste the same for the uninstall command
- Select Next
- Add your Requirements
- Select Next
- Manually configure a detection rule
- Select Add
- Select Registry
- Key path:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\AOI-#YOURWORKSPACEID - Change the #YourWorkspaceID section to what you recorded earlier
- Select Ok
- Select Next
- Select Next
- Add Assignments
- Select Next
- Select Create
Checking the logs
Once the clients receive the agent you should be able to check for a heartbeat immediately in log analytics. I’ll show two quick queries we can run as an example.
- Navigate to portal.azure.com
- Navigate to your log analytics workspace
- Select Logs
- In the query section type the following and select Run:
Event
| where TimeGenerated > ago(24h)
| limit 10
This will bring up the last 10 log events that were registered in log analytics, we limit to 10 for testing purposes. Next we will look at querying a specific log and showing a specific set of columns we are interested in.
Event | where EventLog == "System" | project TimeGenerated, EventLog, EventLevelName, EventID, RenderedDescription, Computer
At this point you have everything configured and are only limited to your querying knowledge!
10 Comments on “Collecting Logs with Log Analytics for Intune devices”
Great video on Intune training. I must be missing something in the syntax of the install command. Won’t install on the client but also not giving error.
Is the app showing up at all? You’d be able to go to control panel and the Microsoft Monitoring Agent would show up. The rest of the install string just adds your tenant info on where to report data.
What did you do to fix the issue? It will not complete the install for me.
nvm I figured it out. Thanks!!!!
The blog post was also updated as there was an error, need to extract the MMASetup and then package 🙂 Sorry for the confusion.
I follow these steps and the workspace doesn’t show for the endpoint setup for reports, diagnostics settings. It doesn’t show the subscription or the resource at all.
I was able to fix this due to a setting change in the profile, but the next hurdle is getting the agent to install. I get the notification that it’s being installed then it fails or just says “the unmonitored process is in progress” but never completes. I tried looking in the endpoint logs on the device but doesn’t give any error information. Is this an issue with the devices already being enrolled with Intune Endpoint mgt or the Intune company portal?
Excellent walkthrough. I’d like to make one suggestion — use the suggested silent uninstall string rather just repasting the install string for the Intune app deployment.
%WinDir%\System32\msiexec.exe /x MOMAgent.msi /qb
Source: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-manage#uninstall-from-the-command-line
Hi guys,
Deployment on MMA on my test-tenant device failed with this message : The system cannot find the file specified. (0x80070002)
Have you any idea ?
Thanks,
Fab
The advanced settings under log analytics to enable event logs to be collected has been removed and is now under agent configuration I believe.