To collect Azure Audit logs and Azure Active Directory Audit Reports, Sumo Logic Azure Audit scripts first authenticate with the Azure Portal and Azure Active Directory using an Active Directory application.
Create the AD Application
Create the AD Application and grant it access to your target Azure Subscription using the steps detailed here:
- Login to https://portal.azure.com/.
- From the left pane, select Azure Active Directory.
- Select App Registrations.
- Click + New application registration.
- Enter the Name and Sign-on URL. You can enter any valid URL for the Sign-on URL as Sumo Logic App doesn't need sign-on. Click Create.
Get the Application ID and Key
Next, you will need the Active Directory Application ID and Key to configure the Azure Marketplace template.
After creating the application in the previous step, click the name of the app. Make note of the Application ID here.
Select the app that you just created, select Keys, and enter the Description and Duration. We recommend 2 years or longer for the Duration. Click Save.
Make sure you copy the key Value after you save.
Active Directory reports. If you want to collect Active Directory reports, you need to create and grant permissions to the app. To do this, select the app and click Required permissions.
Select Add and click Select an API.
Choose Windows Azure Active Directory (Microsoft.Azure.ActiveDirectory) from the list and hit Select.
Select the check box Read Directory Data under both Application Permissions and Delegated Permissions. Click Select. Click Done to finish the process.
In the Required permissions screen, select Grant Permissions. Select Yes.
Get the Tenant ID
Next, you’ll need the Tenant ID. Go back to the Active Directory level, then select Properties of the active directory in the left pane. The Directory ID shown here is the Tenant ID.
Get the Subscription ID
Finally, you’ll need the Subscription ID. Select Subscriptions in the left pane.
Make a note of the Subscription ID that you want to monitor.
Add the app to the Subscription. Select the Subscription. Click Access Control (IAM).
Click Add. Select Reader for Role and search the name of the app that you created earlier. Select the app. Click Save.
Create a Sumo Logic Access Key and ID
In Sumo Logic, create an Access Key and ID.
Run the Solutions Template from the Azure Marketplace
From the Azure Marketplace, you will search for and run the solutions template Sumo Logic for Azure Audit Logs.
This template will create an Azure Virtual Machine and configure a Sumo Logic Installed Collector. Depending on the information you provide, it will also create:
- One Local Windows Event Log Source
- One Script Source to collect Azure Audit Logs
- (Optional) One Script Source to collect Azure Active Directory Audit Reports
To run the template:
- Login to https://portal.azure.com.
- Click + New.
- In the Search field, search for Sumo Logic.
- Select Sumo Logic for Azure Audit Logs.
- Click Create.
- On the Basics tab, enter the following:
- Collector Name. Enter the Sumo Logic Collector name. It is used as the prefix for resource names created by this template. It cannot be longer than 12 characters.
- Sumo Logic Access ID. From your Sumo Logic account, create an Access ID and Key and enter the Access ID here. This key pair is used to register the embedded Collector with Sumo Logic.
- Sumo Logic Access Key. Enter the Access Key here.
- Azure Subscription ID. Enter the Azure Subscription ID, which is used to collect Audit Logs.
- Azure AD Application Client ID. Create an Azure Active Directory application and enter its Client ID here. Remember to grant access to your subscription for this application.
- Azure AD Application Client Key. Enter the Azure Active Directory application Client Key here.
- Azure AD Application Tenant ID. This is the Active Directory's Directory ID that you noted earlier.
- Do you want to Collect AD Logs? Select Yes if you want to collect AD logs. Remember to set the right permissions for the AD application as described earlier.
- Encryption Phrase. Enter a phrase to be used to encrypt the Azure Active Directory application credentials above.
- Username. Enter the Admin username for the Manager and Transcoder VMs.
- Password. Enter the password for the user account.
- Subscription. Select your subscription from the menu.
- Resource Group. A Resource Group is a collection of resources that share the same lifecycle, permission and policies.
- Location. Select your location from the menu.
- Click OK.
- On the Common Settings tab, enter the following:
- Storage Account. Enter your storage account.
- Virtual Network. Enter the Virtual Network to be used by this application.
- Subnets. Enter the Subnets in the selected virtual network.
- Diagnostics Storage Account. Enter your diagnostics storage account.
- Click OK.
- On the Sumo Logic Collector Configuration tab, enter the following:
- Public IP Address. Enter the name of the public IP address to be assigned to the Sumo Logic Collector
- Domain Name Label. Enter the domain name label for the Sumo Logic Collector VM that has a public IP address. (For example, collector01. If the Location you selected earlier is West US, then the full DNS name for this example would be: collector01.westus.cloudapp.azure.com.)
- Sumo Logic Collector VM Size. Enter the size of the Sumo Logic Collector VM.
- Click OK.
- On the Summary tab, review your configuration.
- Click OK.
- On the Buy tab, click Purchase.
Azure then creates the Virtual Machine with the installed and configured Sumo Logic Collector and Sources.
Change the Network Security Group
Now change the Network Security Group of the Virtual Machine created by the solution template to restrict public access. By default, the template allows public access to three ports: 3389 RDP, syslog 514 TCP, and 514 UDP.
To change the Network Security Group:
- Login to https://portal.azure.com.
- Select Network Interfaces and click the interface.
- Select Network Security Group.
- Change the three Inbound security rules to fit your access policy.
- Save your changes.
Collecting from Multiple Azure Subscriptions
By default, the Sumo Logic for Azure Audit Logs solution template creates one Script Source to collect audit logs for one Azure subscription, which was provided during the setup process.
The scripts behind this Script Source are located at:
C:\Program Files\Sumo Logic Collector\powershell\azure.
If you want to collect from multiple Azure subscriptions using the same Active Directory application, you must grant access to all subscriptions for this application.
Then do one of the following options:
- Deploy another VM by running the template again. (This is the easiest way, but it will generate a different VM.)
- Grant access manually to the existing VM.
To grant access manually to the existing VM:
- Remote desktop protocol (RDP) into the VM, then clone the whole azure folder, for example, to C:\Program Files\Sumo Logic Collector\powershell\Subscription2.
- Go to this folder, open the file azureAuditLogConfig.ps1, and at the bottom of the file, change the value of $AZURE_SUBSCRIPTION_ID.
- Delete profile.json and .timestamp files from this folder.
- In Sumo Logic, configure a new Script Source similar to the existing Azure Audit Script Source created by the template. Also make sure it points to the new folder, and that the Working Directory is populated.