Skip to main content
Sumo Logic

Collect Logs for Azure Audit from Event Hub

To collect Azure Audit logs from Event Hub, you would first need to create an Event Hub, export activity logs to the Event Hub, create a Function App, define the required environment variables, and finally deploy the function.

To collect Azure Audit logs from Event Hub, you would first need to create an Event Hub, export activity logs to the Event Hub, create a Function App, define the required environment variables, and finally deploy the function.

Create an Event Hub

  1. Login to https://portal.azure.com/.
  2. From the left pane, select Event Hubs.
    Eventhub
  3. Click + Add.
    Add event hub
  4. Enter the Name. Choose the appropriate Pricing tier, Subscription, Resource group, and Location. Click Create.

You’ve now created a Namespace to contain the Event Hubs.

Get the connection string for the Event Hub

To get the connection string, in the Azure portal:

  1. Click Event Hubs in the left pane, and then select the Event Hub Namespace containing the source Event Hub that you created previously.
  2. Under Settings, choose Shared access policies. Either create a new, or select an existing access policy with Send and Listen permissions.
  3. Click the policy name, and make a note of any Connection String under that policy. You will need this later to create an environment variable.EventHubConnectionString.png

Export Activity Logs to Event Hub

  1. From the left pane, select Activity Logs.
    ActivityLog
  2. Click Export.
    Export activity log
  3. Select the Subscriptions and Regions.
    Export
  4. Select the checkbox Export to an event hub.
  5. Select a service bus namespace. Choose the Subscription. Select the event hub namespace that you created in the previous step. Select an event hub policy name.
  6. Click OK.

On successful completion of these steps, an Event Hub called "insights-operational-logs" will be created under this namespace in few minutes.

Create a Blob Container

You would need to create a blob container under a storage account to store failover data from Event Hub. Create a blob container with name azureaudit-failover, as we will be assuming that you use a blob container with name "azureaudit-failover" for the entire set up process.

To create a blob container:

  1. From the left pane go to Storage accounts.
    StorageAccount.png
  2. Select your Storage Account.YourStorageAccount.png
  3. Under Blob Service, select Containers.
    Containers.png
  4. To add a new container, select + Container, and enter the Name and select the Public Access Level. Click OK.+Container.png

Get the connection string for the Storage Account

To get a connection string for the Storage account, in the Azure portal:

  1. Select Storage accounts in the left pane. Then, select your storage account that you used to create the Blob Container in the previous step.
  2. Under Settings, select Access keys, and make a note of any connection string. You will need this later to create an environment variable.StorageAccountConnectionString.png

Create a Function App

You would need a Function App to host the execution of all your Sumo functions. A Function App lets you group functions as a logical unit for easier management, deployment, and sharing of resources. 

  1. In the Azure portal, click + New.
    New
  2. Go to Compute > Function App.
    Compute
  3. Enter the App name, select the Subscription, and choose the Resource Group.
    FunctionApp
  4. For Hosting Plan, it is recommended that you select a standard App Service Plan instead of the dynamic Consumption Plan. The Consumption plan allows you to pay for the time the functions run but it imposes some delay. To create an App Service plan, follow the steps mentioned here.
  5. Select an App Service plan/Location, and Storage.
  6. Click Create.

You have now created a Function Plan to host your Azure functions.

Define the Environment Variables

You will need to define the required information for the function(s) under the hosting Function App's settings. 

  1. Search and select the Function App that you created in the previous step.
  2. Go to Application settings. ApplicationSettings
  3. Click + Add new setting to define a new variable. Don’t forget to save after you’ve defined the variables.

    You will need to define the following variables:

    • A variable for the Sumo HTTP endpoint URL. For example, you can name the variable SumoEndpoint. To determine your endpoint URL, see here.
      Add variable
    • A variable containing a connection string for the source Event Hub. For example, you can name the variable AzureEventHubConnectionString.
      Use the connection string that you retrieved earlier in this step.
    • A variable containing a connection string for a storage account. For example, you can name the variable StorageConnectionString. We'll use this storage account to store any data that would fail to be sent to Sumo on rare occasions.
      Use the connection string that you retrieved earlier in this step.

Deploy the Function

Once all the environment variables are defined, deploy your function by following these steps:

  1. Search and select the Function App that you created earlier to host the function. From there, click the + under Functions.
    Add
  2. Click Custom Function.
    Custom Function
  3. Select EventHubTrigger - JavaScript.
    Eventhub JS
    • Provide a name for your function.
    • Event Hub name. Select the source Event Hub name. For example, insights-operational-logs.
    • Event Hub connection. Select the variable defining the connection string for the event hub in the step above from the dropdown list.
    • Click Create to finish. NameFunction
  4. Once the function is created, click on its name, then go to View files > Upload.
    Upload

    Download the whole repo from GitHub as a zip file locally. Select Clone or Download > Download ZIP. GitHubDownload.png
    Then, upload all files under sumologic-azure-function/sumo-function-utils/lib/

    Upload sumo utils
  5. Also, upload the sumologic-azure-function/EventHubs/Node.js/index.js from the downloaded zip file. Make sure the urlString parameter value inside the function, highlighted in yellow, matches the name of the Sumo Endpoint environment variable that you created earlier. Keep the prefix process.env.APPSETTINGS_.
    index.js
  6. Change the function integration. Under the Function name, select Integrate. Click Advanced Editor.
    Advanced editor
  7. In the function.json, add this storage output binding to the bindings array:

    {
       "type": "blob",
       "name": "outputBlob",
       "path": "azureaudit-failover/{rand-guid}",
       "connection": "NAME_OF_THE_ENV_VARIABLE_FOR_THE_STORAGE_ACCOUNT",
       "direction": "out"
    }


    Function.json

    Here, make two changes:

    • The path "azureaudit-failover" is the name of the blob container to host the failover data that you created in the previous section. If you used a different name, enter that name here. DO NOT modify the string {rand-guid}.
    • For “connection”, enter the name of the environment variable for the storage account that you created in the Function app.

    In the end, the bindings array should look similar to this:

    {
     "bindings": [
       {
         "type": "eventHubTrigger",
         "name": "eventHubMessages",
         "direction": "in",
         "path": "insights-operational-logs",
         "connection": "AzureLabsEventHub_DevSharedAccess_EVENTHUB",
         "cardinality": "many",
         "consumerGroup": "$Default"
       },
       {
         "type": "blob",
         "name": "outputBlob",
         "path": "azureaudit-failover/{rand-guid}",
         "connection": "sumologicstorage_STORAGE",
         "direction": "out"
       }
     ],
     "disabled": false
    }
     

  8. Finally, test the function by going to index.js, and clicking Run. To test on the receiving endpoint, go to Sumo and use the Sumo LiveTail to see the data immediately.