New event id configuring

Hi mcsebala,

Are you talking about the log "Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin" in eventvwr? It would be helpful if you navigate to this log, open its properties and send me the "Full Name:" value. And it would be extremely helpful if you can share the log itself with me. Could you click "Save All Events As..." for this log and send directly to igor.ilyin@quest.com. Doing so will streamline my help to you. If you cannot send the log, we will help you step by step.Thank you.

So kind of you sir for the reply.

your are correct want to collect logs from "Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin". 

I am unable to share the logs via email.

Let me know all the steps I do the Configuring gathering,Task creation,Policy creation for collecting sspr logs after that i will check the report and send you the confirmation.

Please navigate to this log, open its properties and share the "Full Name:" property value with me.

Please find the full name "Microsoft-AzureADPasswordProtection-DCAgent/Admin"

Thank you.

You can collect this log using two different InTrust UI.

The simplified one, this method can collect only new events starting from the current moment:

1. Open InTrust Deployment Manager.
2. Switch to Collections tab.
3. New - Windows Collection.
4. Name the new collection, for example Microsoft-AzureADPasswordProtection-DCAgent/Admin. Next.
5. Specify computers from which you want to collect Microsoft-AzureADPasswordProtection-DCAgent/Admin log, by name or using other available methods. Check Install Agents Automatically. Next.
6. On Data Sources and Repository step click Add and set Microsoft-AzureADPasswordProtection-DCAgent/Admin as the name. OK.
7. Uncheck all other data sources in the list.
8. Choose the Repository to collect to or create a new one. Next.
9. Finish the wizard. Wait for configuration applied and then observe the repository you collect to using the Repository Viewer.

The traditional one, this method can collect also the old events that are already in the log:

1. Open InTrust Manager.
2. Create a Site which contains the objects you want to collect Microsoft-AzureADPasswordProtection-DCAgent/Admin log from, or pick one from the existing configuration.
3. Create a Repository for Microsoft-AzureADPasswordProtection-DCAgent/Admin log or pick one from the existing configuration.
4. Go to Quest InTrust Manager | Configuration | Data Sources.
5. Right click the node - New Data Source.
6. Choose Microsoft Windows Events.
7. Set log name to Microsoft-AzureADPasswordProtection-DCAgent/Admin. Set Remote, then local. Next.
8. Set data source name to Microsoft-AzureADPasswordProtection-DCAgent/Admin. Finish the wizard.
9. Go to Quest InTrust Manager | Gathering | Gathering Policies | Microsoft Windows Network.
10. Right click the node - New Policy.
11. Set the name to Microsoft-AzureADPasswordProtection-DCAgent/Admin. Next.
12. Choose the data source Microsoft-AzureADPasswordProtection-DCAgent/Admin from the list. Next.
13. Review the Gathering Settings. Next.
14. Review Event Filtering for Audit DB. Next.
15. Review Event Filtering for Repository. Next.
16. Finish Add Data Source Wizard. Next.
17. Review Configure Filtering. Next.
18. Finish New Policy Wizard.
19. Right click on the policy and "Apply to Site". Pick the Site mentioned in the step #2. Create new schedule. To run the task every hour set "Repeat Task every 1 hour, with duration 24 hours".
20. Enable schedule.
21. Pick the repository to collect to mentioned in the step #3.
22. Finish the wizard.
23. Commit all changes (right click on Quest InTrust Manager root node, Commit).
24. After the first successful gathering session open Repository Viewer and observe the repository you collect to. Create a custom Search with a layout containing fields you like.