Skip to main content
Sumo Logic

Collect Logs for Azure Audit from Event Hub

To collect Azure Audit logs from Event Hub, you would first need to create an Event Hub, export activity logs to the Event Hub, create a Function App, define the required environment variables, and finally deploy the function.

To collect Azure Audit logs from Event Hub, you would first need to create an Event Hub, export activity logs to the Event Hub, create a Function App, define the required environment variables, and finally deploy the function.

Create an Event Hub

  1. Login to https://portal.azure.com/.
  2. From the left pane, select Event Hubs.
    Eventhub
  3. Click + Add.
    Add event hub
  4. Enter the Name. Choose the appropriate Pricing tier, Subscription, Resource group, and Location. Click Create.

You’ve now created a Namespace to contain the EventHubs.

Export Activity Logs to Event Hub

  1. From the left pane, select Activity Logs.
    ActivityLog
  2. Click Export.
    Export activity log
  3. Select the Subscriptions and Regions.
    Export
  4. Set the Retention days.
  5. Select the checkbox Export to an event hub.
  6. Select a service bus namespace. Choose the Subscription. Select the event hub namespace that you created in the previous step. Select an event hub policy name.
  7. Click OK.

Create a Function App

You would need a Function App to host the execution of all your Sumo functions. A Function App lets you group functions as a logical unit for easier management, deployment, and sharing of resources. 

  1. In the Azure portal, click + New.
    New
  2. Go to Compute > Function App.
    Compute
  3. Enter the App name, select the Subscription, and choose the Resource Group.
    FunctionApp
  4. For Hosting Plan, it is recommended that you select a standard App Service Plan instead of the dynamic Consumption Plan. The Consumption plan allows you to pay for the time the functions run but it imposes some delay. To create an App Service plan, follow the steps mentioned here.
  5. Select an App Service plan/Location, and Storage.
  6. Click Create.

You have now created a Function Plan to host your Azure functions.

Define the Environment Variables

You will need to define the required information for the function(s) under the hosting Function App's settings. 

  1. Search and select the Function App that you created in the previous step.
  2. Go to Application settings. ApplicationSettings
  3. Click + Add new setting to define a new variable. Don’t forget to save after you’ve defined the variables.

    You will need to define the following variables:

    • A variable for the Sumo HTTP endpoint URL. For example, you can name the variable SumoEndpoint. To determine your endpoint URL, see here.
      Add variable
    • A variable containing a connection string for the source EventHub. For example, you can name the variable AzureEventHubConnectionString.
      To get the connection string, in the Azure portal click Event Hubs in the left pane, and then select the EventHub namespace containing the source Event Hub. Under Settings, choose Shared access policies. Either create a new or select an existing access policy with Send and Listen permissions. Click the policy name, and use any connection string under that policy. 
    • A variable containing a connection string for a storage account. For example, you can name the variable StorageConnectionString. We'll use this storage account to store any data that would fail to be sent to Sumo on rare occasions.
      To get a connection string, in the Azure portal, select Storage accounts in the left pane. Then, select the storage account, and under Settings, select Access keys and select any connection string.
  4. Note that you would also need to create a blob container under that storage account, for example, you can create a blob container with name azureaudit-failover. To create a blob container, from the left pane go to Storage accounts, select your storage account, and under Blob Service, select Containers and then add a new container.

Deploy the Function

Once all the environment variables are defined, deploy your function by following these steps:

  1. Search and select the Function App that you created earlier to host the function. From there, click the + under Functions.
    Add
  2. Click Custom Function.
    Custom Function
  3. Select EventHubTrigger - JavaScript.
    Eventhub JS
    • Provide a name for your function.
    • Event Hub name. Select the source Event Hub name. For example, insights-operational-logs.
    • Event Hub connection. Select the variable defining the connection string for the event hub in the step above from the dropdown list.
    • Click Create to finish. NameFunction
  4. Once the function is created, click on its name, then go to View files > Upload.
    Upload

    Download all the files from sumo-function-utils, and upload them here.

    Upload sumo utils
  5. Open the default index.js. Replace it with the content present in this index.js. Make sure the urlString parameter value inside the function matches the name of the Sumo Endpoint environment variable that you created earlier. Keep the prefix process.env.APPSETTINGS_.
    index.js
  6. Change the function integration. Under the Function name, select Integrate. Click Advanced Editor.
    Advanced editor
  7. In the function.json, add a storage output binding to the bindings array:

    {
       "type": "blob",
       "name": "outputBlob",
       "path": "azureaudit-failover/{rand-guid}",
       "connection": "NAME_OF_THE_ENV_VARIABLE_FOR_THE_STORAGE_ACCOUNT",
       "direction": "out"
    }


    Function.json

    Here, make two changes:

    • The path "azureaudit-failover" is the name of the blob container to host the failover data that you created in the previous section. If you used a different name, enter that name here. DO NOT modify the string {rand-guid}.
    • For “connection”, enter the name of the environment variable for the storage account that you created in the Function app.

    In the end, the bindings array should look similar to this:

    {
     "bindings": [
       {
         "type": "eventHubTrigger",
         "name": "eventHubMessages",
         "direction": "in",
         "path": "insights-operational-logs",
         "connection": "AzureLabsEventHub_DevSharedAccess_EVENTHUB",
         "cardinality": "many",
         "consumerGroup": "$Default"
       },
       {
         "type": "blob",
         "name": "outputBlob",
         "path": "azureaudit-failover/{rand-guid}",
         "connection": "sumologicstorage_STORAGE",
         "direction": "out"
       }
     ],
     "disabled": false
    }
     

  8. Finally, test the function by going to index.js, and clicking Run. To test on the receiving endpoint, go to Sumo and use the Sumo LiveTail to see the data immediately.