Skip to main content
Sumo Logic

Collect Logs for Azure Audit

Create an Active Directory Application

To collect Azure Audit logs and Azure Active Directory Audit Reports, Sumo Logic Azure Audit scripts first authenticate with the Azure Portal and Azure Active Directory via an Active Directory application. Login to your Azure account through the classic portal, and create the application using the instructions from Microsoft.

Login to the Azure Classic Portal

To login to your Azure account though the classic portal:

  1. Login to
  2. From the bottom left of the Hub menu, click Browse, then select Active Directory.
  3. You will be transferred to the classic portal.
  4. There, from the left pane, select Active Directory again.  

Create the AD Application

Create the AD Application and grant it access to your target Azure Subscription using these instructions from Microsoft:

Use the following customizations to the configuration:

  1. At Step 7, for Tell us about your application, enter the name Sumo Logic Audit Collector.
  2. At Step 8, under Add properties enter:

Create a Sumo Logic Access Key and ID

In Sumo Logic, create an Access Key and ID.

Run the Solutions Template from the Azure Marketplace

From the Azure Marketplace, you will search for and run the solutions template Sumo Logic for Azure Audit Logs.

This template will create an Azure Virtual Machine and configure a Sumo Logic Installed Collector. Depending on the information you provide, it will also create:

To run the template:

  1. Login to
  2. Click + New.
  3. In the Search field, search for Sumo Logic.
  4. Select Sumo Logic for Azure Audit Logs.
  5. Click Create
  6. On the Basics tab, enter the following:
    1. Collector Name. Enter the Sumo Logic Collector name. It is used as the prefix for resource names created by this template. It cannot be longer than 12 characters.
    2. Sumo Logic Access ID. From your Sumo Logic account, create an Access ID and Key and enter the Access ID here. This key pair is used to register the embedded Collector with Sumo Logic.
    3. Sumo Logic Access Key. Enter the Access Key here.
    4. Azure Subscription ID. Enter the Azure Subscription ID, which is used to collect Audit Logs.
    5. Azure AD Application Client ID. Create an Azure Active Directory application and enter its Client ID here. Remember to grant access to your subscription for this application.
    6. Azure AD Application Client Key. Enter the Azure Active Directory application Client Key here.
    7. Azure AD Application Tenant ID. Enter the Tenant ID from the endpoints of your Azure Active Directory application here.
    8. Do you want to Collect AD Logs? Select Yes.
    9. Encryption Phrase. Enter a phrase to be used to encrypt the Azure Active Directory application credentials above.
    10. Username. Enter the Admin username for the Manager and Transcoder VMs.
    11. Password. Enter the password for the user account.
    12. Subscription. Select your subscription from the menu.
    13. Resource Group. A Resource Group is a collection of resources that share the same lifecycle, permission and policies.
    14. Location. Select your location from the menu.
  7. Click OK
  8. On the Common Settings tab, enter the following:
    1. Storage Account.  Enter your storage account.
    2. Virtual Network. Enter the Virtual Network to be used by this application.
    3. Subnets. Enter the Subnets in the selected virtual network.
    4. Diagnostics Storage Account. Enter your diagnostics storage account.  
  9. Click OK
  10. On the Sumo Logic Collector Configuration tab, enter the following:
    1. Public IP Address. Enter the name of the public IP address to be assigned to the Sumo Logic Collector
    2. Domain Name Label. Enter the domain name label for the Sumo Logic Collector VM that has a public IP address. (For example:collector01. If the Location you selected earlier is West US, then the full DNS name for this example would be:
    3. Sumo Logic Collector VM Size. Enter the size of the Sumo Logic Collector VM.
  11. Click OK.
  12. On the Summary tab, review your configuration.
  13. Click OK.
  14. On the Buy tab, click Purchase.

Azure then creates the Virtual Machine with the installed and configured Sumo Logic Collector and Sources.

Change the Network Security Group

Now change the Network Security Group of the Virtual Machine created by the solution template to restrict public access. By default, the template allows public access to three ports: 3389 RDP, syslog 514 TCP, and 514 UDP.

To change the Network Security Group:

  1. Login to
  2. Select Network Interfaces and click the interface. 
  3. Select Network Security Group.
  4. Change the three Inbound security rules to fit your access policy.
  5. Save your changes. 

Collecting from Multiple Azure Subscriptions

By default, the Sumo Logic for Azure Audit Logs solution template creates one Script Source to collect audit logs for one Azure subscription, which was provided during the setup process.

The scripts behind this Script Source are located at:

C:\Program Files\Sumo Logic Collector\powershell\azure.

If you want to collect from multiple Azure subscriptions using the same Active Directory application, you must grant access to all subscriptions for this application.

Then do one of the following:

  1. Deploy another VM by running the template again. (This is the easiest way, but it will generate a different VM.)  
  2. Grant access manually to the existing VM.

To grant access manually to the existing VM:

  1. Remote desktop protocol (RDP) into the VM, then clone the whole azure folder, for example, to C:\Program Files\Sumo Logic Collector\powershell\Subscription2.
  2. Go to this folder, open the file azureAuditLogConfig.ps1, and at the bottom of the file, change the value of $AZURE_SUBSCRIPTION_ID.
  3. Delete profile.json and .timestamp files from this folder.
  4. In Sumo Logic, configure a new Script Source similar to the existing Azure Audit Script Source created by the template. Also make sure it points to the new folder, and that the Working Directory is populated.