Windows Defender log again

Hello!
I had this running in the past, but now i have the same issue again:
https://discuss.newrelic.com/t/windows-defender-logs-how-to/189179
My config:


I copied the config from where everything worked, but cant see the problem this time.
Thank you!

Hi @matthias.duerre

Thanks for reaching out, I hope you are well.

Unfortunately this is out of my scope, however I will go ahead and loop in the support engineering team here to help to support here.

Please note they will reach out via this post with their findings.

Hi @matthias.duerre

do you know if those event ids in your .yml file are still the correct IDs to be captured?

Hello @GlenOFoghlu

I use every id related to virus detection and removal for example 1116:


I could try to use only the ID 1116 and 1117
I want to get the defender logs of win clients to set alerts when a virus has been detected, removed etc.
I got the IDs from here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

sadly reducing the IDs in the config doesnt make a diffrence.
Is there a way to see someting like a log on the newrelic site - so icould see what the issue may be?

I used the diagnostic tool nrdiag:


The line 19 in the config should be wrong, but i copied it from the entry from the first part of the config:

Last time i had a missing tab so this time i payed this more attention.
I will try an play around with the tool a bit more and will report.

Hi @matthias.duerre !

The screenshot you provided of your logs.yml configuration file looks pretty good. I would make sure that your ID’s are also indented as well. You’ll want it to look similar to this:

      collect-eventids:
        - 1116
        - 1117

Give this a try and restart your infrastructure agent service and let us know if that helps fix the issue you are having.

Hello!
I installed the client to a difffrent winclient.
When i dont use the “collect-eventis” part then there should be every log of for my example win defender?
I tested the config without and the nrdiag has no problem with the config.

I Dont know if the other Errors could be an issue:

Check Results
-------------------------------------------------

Info                Base/Env/CollectEnvVars [Gathered Environment variables of current shell.]
Success             Base/Config/Collect
Success             Base/Config/Validate
Success             Base/Env/CheckWindowsAdmin
Warning             Java/AppServer/WebSphere
Success             Infra/Config/Agent
We've found a file that may contain secure information: C:\Program Files\New Relic\newrelic-infra\integrations.d\newrelic-infra-winpkg-config.yml
Include this file in nrdiag-output.zip?
Choose 'y' or 'n', then press enter: n
We've found a file that may contain secure information: C:\Program Files\New Relic\newrelic-infra\logging.d\logs.yml
Include this file in nrdiag-output.zip?
Choose 'y' or 'n', then press enter: y
Adding file to Diagnostics CLI zip file:  C:\Program Files\New Relic\newrelic-infra\logging.d\logs.yml
We've found a file that may contain secure information: C:\Program Files\New Relic\newrelic-infra\newrelic-infra.yml
Include this file in nrdiag-output.zip?
Choose 'y' or 'n', then press enter: n
We've found a file that may contain secure information: C:\Program Files\New Relic\newrelic-infra\newrelic-integrations\newrelic-infra-winpkg-definition.yml
Include this file in nrdiag-output.zip?
Choose 'y' or 'n', then press enter: n
Success             Infra/Config/IntegrationsCollect
Success             Infra/Config/IntegrationsValidate
Info                Infra/Agent/Version [1.29.1]
Success             Infra/Config/IntegrationsMatch
Warning             Java/Env/Version
Success             Base/Log/Copy
Success             Base/Config/LicenseKey
Error               DotNetCore/Env/Versions
Warning             Base/Config/AppName
Success             Base/Config/ValidateLicenseKey
Success             Base/Config/ValidateHSM
Info                Base/Env/HostInfo [Collected host information]
Info                Base/Config/RegionDetect [1 unique New Relic region(s) detected from config.]
Warning             Base/Collector/ConnectEU
Info                DotNet/Env/Versions [4, 4.0, 4.7 or later]
Success             Infra/Config/DataDirectoryCollect
Success             Infra/Agent/Connect
Warning             Infra/Log/LevelCheck
Success             Infra/Env/ClockSkew
82 results not shown: 82 None
See nrdiag-output.json for full results.

Issues Found
-------------------------------------------------
Warning - Java/AppServer/WebSphere
We suspect this is a WebSphere environment but we're unable to determine the version. Supported status is unknown.
See https://docs.newrelic.com/docs/agents/java-agent/additional-installation/ibm-websphere-application-server for more information.


Warning - Java/Env/Version
Java not found in PATH


Error - DotNetCore/Env/Versions
Unable to complete this health check because we ran into some unexpected errors when attempting to collect this application's .NET Core version:
Unable to run 'dotnet --info':
%w
exec: "dotnet": executable file not found in %PATH%Unable to run 'dotnet --version':
%w
exec: "dotnet": executable file not found in %PATH%


Warning - Base/Config/AppName
No New Relic app names were found. Please ensure an app name is set in your New Relic agent configuration file or as a New Relic environment variable (NEW_RELIC_APP_NAME). Ignore this warning if you are troubleshooting for a non APM Agent.
See https://docs.newrelic.com/docs/agents/manage-apm-agents/app-naming/name-your-application for more information.


Warning - Base/Collector/ConnectEU
collector.newrelic.com (EU Region) returned a non-200 STATUS CODE: 404
Please check network and proxy settings and try again or see -help for more options.
Response Body: {}
See https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks for more information.


Warning - Infra/Log/LevelCheck
Infrastructure logging level not set to verbose (debug/trace). If troubleshooting an Infrastructure issue, please set log level to: debug in newrelic-infra.yml.
See https://docs.newrelic.com/docs/infrastructure/new-relic-infrastructure/troubleshooting/generate-logs-troubleshooting-infrastructure for more information.


We've created nrdiag-output.zip and nrdiag-output.json
Do you want to upload these to your New Relic account?
Choose 'y' or 'n', then press enter: n


For better results, run Diagnostics CLI with the 'suites' option to target a New Relic product. To learn how to use this option, run: 'nrdiag_x64.exe -h suites'

Restarting the service would be an idea too - i used first my work Laptop for testing befor moving to a VM.
I have the device mostly all the time in Standby/energy save mode.

Hi @aditto
Sadly nothing with correct eventid is visible:

Here the config with copied lines from your example:

I have restarted the service an rebooted the device, but now im rather clueless.