This page has instructions for configuring a pipeline for shipping Azure Audit logs from Azure Monitor to an Event Hub, on to an Azure Function, and finally to an HTTP source on an hosted collector in Sumo Logic.
Here’s how the solution fits together:
- Azure Monitor collects logs for most Microsoft Azure services, including Azure Audit, and streams the data to an Azure Event Hub.
- Azure Event Hubs is a data streaming platform and event ingestion service. In this pipeline, an Event Hub streams the logs collected by Azure Monitor to an Azure function.
- The Azure function is a small piece of code that is triggered by Event Hub to send logs to the Sumo HTTP Source, function logs to one Storage Account, and and failover data to another.
Step 1. Configure an HTTP source
In this step, you configure an HTTP source to which the Azure function will send Azure Activity logs.
Step 2. Configure Azure resources using ARM template
In this step, you use a Sumo-provided Azure Resource Manager (ARM) template to create an Event Hub, an Azure function and two Storage Accounts. The Azure function is triggered by Event Hub. Two storage accounts are used to store log messages from the Azure function and failover data from Event Hub.
- Download the azuredeploy_logs.json ARM template.
- Go to Template deployment in the Azure Portal.
- Click Create.
- On the Custom deployment blade, click Build your own template in the editor.
- Copy the contents of
azuredeploy_logs.json, and paste it into the editor window.
- Click Save.
- Now you are back on the Custom deployment blade.
- Create a new Resource Group (recommended) or select an existing one.
- Choose Location.
- In the Sumo Endpoint URL field, enter the URL of the HTTP source you configured in Step 1.
- Agree to the terms and conditions.
- Click Purchase.
- Verify the deployment was successful by looking at Notifications at top right corner of Azure Portal.
- (Optional) In the same window, you can click Go to resource group to verify all resources have been created successfully. You will see something like this:
- Go to Storage accounts and search for “sumofail”. Click on “sumofail<random-string>”.
- Under Blob Service, click Containers, then click + Container, enter the Name azureaudit-failover, and select Private for the Public Access Level. Click OK.
Step 3. Export Activity Logs to Event Hub
- In the left pane of Azure console, click Activity log.
- In the Activity log window, click Export.
- In the Export activity log (PREVIEW) pane, select desired Subscriptions and Regions, and click the Export to an event hub checkbox.
- In the Select event hub namespace pane:
- In the Subscription pull-down, select a subscription.
- In the Event Hub Namespace pull-down, select the SumoAzureLogsNamespace<UniqueSuffix> namespace that you created in Step 2.
- In the Event hub policy, leave the default policy, RootManageSharedAccessKey, or select another as desired.
- Click OK.
If logs are not flowing into Sumo Logic, see Troubleshooting.