Skip to main content
Version: 1.0.0

Task 04: Enable Security Logging

Runbook Azure

DOCUMENT CATEGORY: Runbook
SCOPE: Security event collection
PURPOSE: Configure Data Collection Rules for security logs
MASTER REFERENCE: Microsoft Learn - DCR

Status: Active

Security logging provides visibility into security events across your Azure Local infrastructure. This step configures Data Collection Rules (DCR) to collect security events from Arc-enabled servers and send them to Log Analytics.

Azure Monitor Agent

Azure Monitor Agent (AMA) is the recommended agent for log collection, replacing the legacy Log Analytics agent (MMA). DCRs define what data to collect and where to send it.

Overview

Log TypeSourcePurpose
Windows Security EventsWindows Event LogAuthentication, authorization, policy changes
SyslogLinux systemsSystem and security events
Performance CountersOS metricsResource utilization and anomaly detection
Custom LogsApplication logsApplication-specific security events

Prerequisites

  • Log Analytics workspace created in Stage 06
  • Azure Monitor Agent deployed (or will deploy via DCR)
  • Arc-enabled servers registered (or will be during cluster deployment)

Variables from variables.yml

VariableConfig PathExample
AZURE_SUBSCRIPTION_IDazure.subscription.id00000000-0000-0000-0000-000000000000
AZURE_RESOURCE_GROUPazure.resource_group.namerg-azurelocal-prod-eus2
AZURE_REGIONazure.resource_group.locationeastus2
LOG_ANALYTICS_WORKSPACE_NAMEmonitoring.log_analytics.workspace_namelaw-azl-DAL-prod-01

Security Event Tiers

TierEvents CollectedUse Case
MinimalCritical security events onlyCost-sensitive environments
CommonImportant events (recommended)Standard security monitoring
AllComplete security logCompliance, forensics

Procedure

Create Data Collection Rule for Security Events

  1. Navigate to Data Collection Rules
  • In Azure Portal, search for Data collection rules
  • Click + Create
  1. Configure Basics
  • Rule Name: dcr-security-events-prod-eus2
  • Subscription: Select your subscription
  • Resource Group: rg-management-prod-eastus2
  • Region: Same as Log Analytics workspace
  • Platform Type: Windows (or All for both Windows and Linux)
  1. Add Resources (Optional)
  • Click + Add resources
  • Select Arc-enabled servers (if already registered)
  • Or leave empty to assign later during cluster deployment
  1. Configure Data Sources

Windows Security Events:

  • Click + Add data source
  • Data source type: Windows Event Logs
  • Configure: Select Security under Windows event logs
  • Click Add data source

Windows Event Logs:

  • Click + Add data source
  • Data source type: Windows Event Logs
  • Check: System, Application
  • Configure XPath queries for specific events (optional)
  1. Configure Destination
  • Click + Add destination
  • Destination type: Azure Monitor Logs
  • Subscription: Select your subscription
  • Destination: Select your Log Analytics workspace
  1. Review and Create
  • Click Review + create
  • Click Create

Create Syslog Collection Rule (Linux)

  1. Create New DCR for Linux
  • Rule Name: dcr-syslog-security-prod-eus2
  • Platform Type: Linux
  1. Add Syslog Data Source
  • Click + Add data source
  • Data source type: Linux Syslog
  • Configure facilities:
  • auth - LOG_WARNING and above
  • authpriv - LOG_WARNING and above
  • syslog - LOG_WARNING and above
  • daemon - LOG_ERR and above
  1. Add Destination
  • Select your Log Analytics workspace
  • Click Create

Key Security Events to Collect

Event IDDescriptionCategory
4624Successful logonAuthentication
4625Failed logonAuthentication
4648Logon with explicit credentialsAuthentication
4672Special privileges assignedPrivilege Use
4720User account createdAccount Management
4726User account deletedAccount Management
4728Member added to security groupGroup Management
4738User account changedAccount Management
4768Kerberos TGT requestedKerberos
4769Kerberos service ticket requestedKerberos

Validation

# Verify DCR exists
$dcr = Get-AzDataCollectionRule -ResourceGroupName $resourceGroup -Name $dcrName

if ($dcr) {
 Write-Host "✅ DCR exists: $($dcr.Name)" -ForegroundColor Green
 Write-Host " Location: $($dcr.Location)"
 Write-Host " Data Sources: $($dcr.DataSource.WindowsEventLog.Count) Windows Event Logs"
} else {
 Write-Host "❌ DCR not found" -ForegroundColor Red
}

# Query Log Analytics for security events (after data starts flowing)
$query = @"
SecurityEvent
| where TimeGenerated > ago(1h)
| summarize count() by EventID
| order by count_ desc
| take 10
"@

Write-Host "`nQuerying for security events..." -ForegroundColor Cyan
# Note: Events may take 5-10 minutes to appear after DCR association

Expected Output

After Arc-enabled servers are registered and associated with the DCR:

SecurityEvent
| summarize count() by EventID

EventID count_
------- ------
4624 1547
4625 23
4672 892
4648 156
4768 2341
4769 8923

Assigning DCR to Arc-Enabled Servers

Once Arc-enabled servers are registered during cluster deployment, associate them with the DCR:

# Get DCR resource ID
$dcrId = (Get-AzDataCollectionRule -ResourceGroupName $resourceGroup -Name $dcrName).Id

# Associate with Arc-enabled server
$arcServerResourceId = "/subscriptions/$subscriptionId/resourceGroups/rg-azurelocal-prod-eastus2/providers/Microsoft.HybridCompute/machines/azl-node-01"

New-AzDataCollectionRuleAssociation `
 -TargetResourceId $arcServerResourceId `
 -AssociationName "dcr-association-node01" `
 -RuleId $dcrId

Troubleshooting

IssueCauseResolution
DCR creation fails with WorkspaceId invalidLog Analytics workspace not found or wrong regionVerify workspace exists with Get-AzOperationalInsightsWorkspace; ensure DCR and workspace are in the same region
Security events not appearing in Log AnalyticsAMA not installed or DCR association missingVerify AMA extension: az connectedmachine extension list; check DCR association: Get-AzDataCollectionRuleAssociation
Partial event collection (some event types missing)DCR XPath queries don't cover required event channelsUpdate DCR data sources to include all required Windows event channels (Security, System, Application)

Next Steps

Proceed to Task 6: PIM & Conditional Access to configure just-in-time access and identity protection.

Toolkit Reference

Scripts for this task are located in the azurelocal-toolkit repository under scripts/deploy/ in the appropriate task folder.

Alternatives

The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.

MethodDescription
Azure CLIPowerShell-based Azure CLI scripts for Azure resource operations
BashLinux/macOS compatible shell scripts for pipeline environments
PreviousUpNext
← Task 03: Security BaselinesPhase 04: Security & GovernanceTask 05: Azure Update Manager →
VersionDateAuthorChanges
1.0.02026-03-24Azure Local CloudInitial release

Version Control

VersionDateAuthorChanges
1.0.02025-03-25Azure Local CloudInitial release