How to Set Up Log Analytics with Windows Event Logs on Windows Server 2016
Azure Log Analytics is the query and storage engine within Azure Monitor that provides powerful search and analysis capabilities over large volumes of log data collected from Windows and Linux servers. By forwarding Windows Event Logs from Windows Server 2016 to a Log Analytics workspace, administrators gain centralized log access, cross-server search, alerting, anomaly detection, and long-term retention—all without maintaining on-premises log infrastructure. This guide covers configuring the Log Analytics workspace, connecting Windows Server 2016, specifying which event logs to collect, writing Kusto queries, and building log-based alerts.
Step 1: Create a Log Analytics Workspace
In the Azure Portal, search for Log Analytics workspaces and click Create. Select your subscription, resource group, workspace name, and region. The PerGB2018 pricing tier charges per gigabyte ingested and is standard for most deployments. Click Review + Create.
Via Azure CLI:
az monitor log-analytics workspace create
--resource-group LogRG
--workspace-name WinEventLogs
--location eastus
--sku PerGB2018
--retention-time 90The –retention-time 90 parameter retains data for 90 days before automatic deletion. Increase this for compliance or security audit requirements.
Step 2: Connect Windows Server 2016 via Log Analytics Agent
In the Azure Portal, open the Log Analytics workspace. Navigate to Settings > Agents. Download the Windows agent for 64-bit systems. Copy the Workspace ID and Primary Key displayed on this page.
Run the downloaded MMA setup on Windows Server 2016. During setup, check Connect the agent to Azure Log Analytics (OMS). Enter the Workspace ID and Primary Key. Complete installation.
For silent installation:
MMASetup-AMD64.exe /Q NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID="" OPINSIGHTS_WORKSPACE_KEY="" AcceptEndUserLicenseAgreement=1After installation, verify the agent is connected:
Get-Service HealthServiceStep 3: Configure Windows Event Log Collection
In the Azure Portal, open the Log Analytics workspace, then navigate to Settings > Legacy agents management > Windows event logs. Click Add windows event log. Add the following standard logs at minimum: System (collect Error and Warning), Application (collect Error, Warning, Information), Security (collect Audit Failure). Click Apply.
For PowerShell configuration using the Az module:
Set-AzOperationalInsightsWindowsEventDataSource `
-ResourceGroupName LogRG `
-WorkspaceName WinEventLogs `
-EventLogName "System" `
-CollectErrors `
-CollectWarnings `
-Name "SystemEventLog"
Set-AzOperationalInsightsWindowsEventDataSource `
-ResourceGroupName LogRG `
-WorkspaceName WinEventLogs `
-EventLogName "Application" `
-CollectErrors `
-CollectWarnings `
-CollectInformation `
-Name "AppEventLog"Step 4: Add Windows Performance Counter Collection
Alongside event logs, configure performance counters for correlated analysis. Under Legacy agents management > Windows performance counters, add counters with a 60-second sample interval:
Set-AzOperationalInsightsWindowsPerformanceCounterDataSource `
-ResourceGroupName LogRG `
-WorkspaceName WinEventLogs `
-ObjectName "Processor" `
-InstanceName "_Total" `
-CounterName "% Processor Time" `
-IntervalSeconds 60 `
-Name "ProcTime"Step 5: Query Windows Event Logs with KQL
Open the Log Analytics workspace and click Logs. Windows events are stored in the Event table. List the most recent 50 error events:
Event
| where TimeGenerated > ago(24h)
| where EventLevelName in ("Error", "Warning")
| project TimeGenerated, Computer, EventLog, EventID, RenderedDescription
| order by TimeGenerated desc
| take 50Find failed service starts (Event ID 7034 = service crashed, 7036 = service stopped):
Event
| where EventLog == "System"
| where EventID in (7034, 7036)
| where TimeGenerated > ago(7d)
| summarize count() by Computer, EventID, RenderedDescription
| order by count_ descSearch for specific error text across all logs:
Event
| where RenderedDescription contains "disk failure"
| project TimeGenerated, Computer, EventLog, EventID, RenderedDescriptionStep 6: Find Security Events
Security event logs captured from Windows Server 2016 are stored in the SecurityEvent table (when the Security log is collected). Find failed logon attempts:
SecurityEvent
| where TimeGenerated > ago(1d)
| where EventID == 4625
| summarize FailedLogins=count() by Account, Computer, IpAddress
| order by FailedLogins descStep 7: Create Log-Based Alert Rules
Create a scheduled query alert that fires when a critical event appears in the Security log:
az monitor scheduled-query create
--resource-group LogRG
--name AccountLockoutAlert
--scopes "/subscriptions/{sub-id}/resourceGroups/LogRG/providers/Microsoft.OperationalInsights/workspaces/WinEventLogs"
--condition "count >= 5"
--condition-query "SecurityEvent | where EventID == 4740 | where TimeGenerated > ago(10m)"
--evaluation-frequency 5m
--window-size 10m
--severity 1
--action "/subscriptions/{sub-id}/resourceGroups/LogRG/providers/microsoft.insights/actionGroups/SecurityAlerts"Step 8: Build a Log Analytics Dashboard
In the Log Analytics workspace, run a KQL query and click Pin to Dashboard to add charts to an Azure Portal dashboard. Alternatively, create a Workbook under Azure Monitor > Workbooks that combines event counts, error timelines, and server health panels using multiple KQL queries in one interactive view.
Best Practices
Use a Data Collection Rule with the Azure Monitor Agent instead of the legacy MMA for new deployments. Configure separate workspaces for security logs and operational logs if different retention and access control policies apply. Set workspace daily ingestion caps to prevent unexpected billing spikes if a misconfigured application generates excessive logs. Archive data beyond the active retention period to Azure Storage using workspace export. Use Microsoft Sentinel for advanced threat detection built on top of Log Analytics for security event analysis.
