Skip to main content
Sumo Logic

Collect Logs for Azure Audit from Event Hub

To collect Azure Activity zlogs from Event Hub, you configure an HTTP source on a hosted collector, use an Azure Resource Manager (ARM) template to create necessary Azure resources, define required environment variables, create an blob container for failover data, and export Activity Logs to Event Hub.

This page has instructions for configuring a pipeline for shipping Azure Audit logs from Azure Monitor to an Event Hub, on to an Azure Function, and finally to an HTTP source on an hosted collector in Sumo Logic.

Here’s how the solution fits together:

  • Azure Monitor collects logs for most Microsoft Azure services, including Azure Audit, and streams the data to an Azure Event Hub. 
  • Azure Event Hubs is a data streaming platform and event ingestion service. In this pipeline, an Event Hub streams the logs collected by Azure Monitor to an Azure function. 
  • The Azure function is a small piece of code that is triggered by Event Hub to send logs to the Sumo HTTP Source, function logs to one Storage Account, and and failover data to another.

CollectLogsforAzureAudit.png

Step 1. Configure an HTTP source

In this step, you configure an HTTP source to which the Azure function will send Azure Activity logs.

  1. Select a hosted collector where you want to configure the HTTP source. If desired, create a new hosted collector, as described on Configure a Hosted Collector.
  2. Configure an HTTP source, as described on HTTP Logs and Metrics Source

Step 2. Configure Azure resources using ARM template

In this step, you use a Sumo-provided Azure Resource Manager (ARM) template to create an Event Hub, an Azure function and two Storage Accounts. The Azure function is triggered by Event Hub. Two storage accounts are used to store log messages from the Azure function and failover data from Event Hub.

  1. Download the azuredeploy_logs.json ARM template.
  2. Go to Template deployment in the Azure Portal.after step2.3.png
  3. Click Create.
  4. On the Custom deployment blade, click Build your own template in the editor.
  5. Copy the contents of azuredeploy_logs.json, and paste it into the editor window.after step2.6.png
  6. Click Save.
  7. Now you are back on the Custom deployment blade.
    1. Create a new Resource Group (recommended) or select an existing one.
    2. Choose Location.
    3. In the Sumo Endpoint URL field, enter the URL of the HTTP source you configured in Step 1.
    4. Agree to the terms and conditions.
    5. Click Purchase.
      pipeline-custom-deployment.png
  8. Verify the deployment was successful by looking at Notifications at top right corner of Azure Portal.
    go-to-resource-group.png
  9. (Optional) In the same window, you can click Go to resource group to verify all resources have been created successfully. You will see something like this:
    step2.11.png
  10. Go to Storage accounts and search for “sumofail”. Click on “sumofail<random-string>”.
    step2.12.png
  11. Under Blob Service, click Containers, then click + Container, enter the Name azureaudit-failover, and select Private for the Public Access Level. Click OK.
    step2.13.png

Step 3. Export Activity Logs to Event Hub

  1. In the left pane of Azure console, click Activity log.
    activitylobselected.png
  2. In the Activity log window, click Export.
    activitylogexport.png
  3. In the  Export activity log (PREVIEW) pane, select desired Subscriptions and Regions, and click the Export to an event hub checkbox.
    export-to-an event-hub.png
  4. In the Select event hub namespace pane:
    1. In the Subscription pull-down, select a subscription.
    2. In the Event Hub Namespace pull-down, select the SumoAzureLogsNamespace<UniqueSuffix> namespace that you created in Step 2.
    3. In the Event hub policy, leave the default policy, RootManageSharedAccessKey, or select another as desired.
    4. Click OK

Troubleshooting

If logs are not flowing into Sumo Logic, see Troubleshooting