Skip to main content
Sumo Logic

Collect Logs for Azure Audit from Event Hub

To collect Azure Activity zlogs from Event Hub, you configure an HTTP source on a hosted collector, use an Azure Resource Manager (ARM) template to create necessary Azure resources, define required environment variables, create an blob container for failover data, and export Activity Logs to Event Hub.

This page has instructions for collecting Azure Activity logs from the Azure Event Hubs ingestion service, using an Azure Resource Manager (ARM) template. 

Step 1. Configure an HTTP source

In this step, you configure an HTTP source to which the Azure function will send Azure Activity logs.

  1. Select a hosted collector where you want to configure the HTTP source. If desired, create a new hosted collector, as described on Configure a Hosted Collector.
  2. Configure an HTTP source, as described on HTTP Logs and Metrics Source

Step 2. Upload ARM template

  1. Login to https://portal.azure.com/.
  2. In the left pane, click the plus icon.
    azure1.png
  3. In the New pane, enter "template deployment" in the search field, run the search, and select Template Deployment from the search results.
    azure2.png
  4. In the Template Deployment pane click Create.
    Add event hub
  5. In the Custom Deployment pane, click Build your own template in the editor.
    azure6.png
  6. Download azuredeploy_activity_logs.json.
  7. In Edit Template window click Load file, upload the azuredeploy_activity_logs.json template and then click Save.
    azure7.png
  8. In the Custom Deployment pane choose the appropriate Subscription, Resource group, and Location. Check the terms and condition and click Purchase.

    This will create following resources:

    • SumoAzureAudit<UniqueSuffix>—The Event Hub namespace which contains insights-operational-logs (eventhub) used for storing activity logs.

    • SumoAzureAuditApp<UniqueSuffix>—The App Service that hosts the EventHubs_Logs Azure function. It runs in an App Service plan named SumoAzureAuditAppServicePlan<UniqueSuffix> (by default the standard App Service plan is configured). The Azure function is triggered by Azure Event Hubs.

    • sumoaudlogs<UniqueSuffix>—The storage account used for storing output of EventHubs_Logs Azure function.
    • sumoaudfail<UniqueSuffix>—The storage account to store failover data from Event Hub.

      Where <UniqueSuffix> is a hash that ensures unique resource names.

      azure8.png

Step 3. Configure environment variables

The following environment variables are supported in the EventHubs_Logs Azure function. You can either update the variables in the template or using the Azure console.

Environment Variable  Description
SumoAuditEndpoint A variable for the Sumo HTTP endpoint URL.
 You must update the variable value to the URL for the HTTP source you defined in Step 1. Configure an HTTP source. To find the source's URL, go to Manage > Collection > Collection, navigate the the hosted collector with the HTTP source, and click Show URL next to the source.
AzureEventHubConnectionString A variable containing a connection string for the source Event Hub.
 The ARM template populates this variable.

To determine the connection string for an existing Event Hub:

Click Event Hubs in the left pane, and then select the Event Hub Namespace containing the source Event Hub.

Under Settings, choose Shared access policies. and select an existing access policy with Manage, Send, and Listen permissions.

Click the policy name, and make a note of the connection string. 
StorageConnectionString A variable containing a connection string for sumoaudfail<UniqueSuffix> storage account
. The ARM template populates this variable.

To determine the connection string for an existing storage account:

Select Storage accounts in the left pane. Then, select the storage account that contains the Blob Container.

Under Settings, select Access keys, and make a note of the connection string.

To configure environment variables using the Azure console

  1. Click Resource Groups in left panel of the Azure console, search for the Resource Group you entered in step 7 of Step 2. Upload ARM template above, and then click on it.
  2. In the Resource Group window click  Automation Script, and then in the new window click Deploy.
  3. In the Custom Deployment Window click Edit Template.
  4. Edit the template and click Save.
  5. In the Custom Deployment Window check the Terms and Conditions checkbox and click Purchase

Step 4. Create a Blob Container

Create a blob container to store failover data from Event Hub. This procedure assumes that you name the container "azureaudit-failover".

To create a blob container:

  1. Select Storage accounts in the left pane.
    StorageAccount.png
  2. On the Storage accounts page, select "sumoaudfail<UniqueSuffix>".YourStorageAccount.png
  3. Under Blob Service, select Containers.
    Containers.png
  4. To add a new container, select + Container, enter the Name, and select Private for the Public Access Level. Click OK.
    +Container.png
  5. Test the function by going to index.js, and clicking Run. To test on the receiving endpoint, go to Sumo and use the Sumo LiveTail to see the data immediately.

Step 5. Export Activity Logs to Event Hub

  1. In the left pane of Azure console, click Activity log.
    activitylobselected.png
  2. In the Activity log window, click Export.
    activitylogexport.png
  3. In the  Export activity log (PREVIEW) pane, select desired Subscriptions and Regions, and click the Export to an event hub checkbox.
    export-to-an event-hub.png
  4. In the Select event hub namspace pane:
    1. In the Subscription pull-down, select a subscription.
    2. In the Event Hub Namespace pull-down, select the SumoAzureAuditSumoAzureAudit<UniqueSuffix> namespace.
    3. In the Event hub policy, leave the default policy, RootManageSharedAccessKey, or select another as desired.
    4. Click OK