none
AZLog vs Event Hub RRS feed

  • Question

  • Hello,

    We are very new to the Azure space and just now getting in the logging needs. We are trying to pipe different events into our SIEM (LogRhythm) which does not have a 'connector' built yet. We are trying to understand the difference between setting up AZLog or using the 'Event Hub' method. Any high level guidance on the differences and when it makes sense to use which method would be appreciated. Thanks.

    Monday, April 16, 2018 2:46 PM

All replies

  • Hello Owtucker,

    Happy to provide guidance and helpful resources to get you more familiar with AzLog & EventHubs.

    Please note that almost all Azure’s Management & monitoring services are designed to complement each other and intended to be consumed as a solution suite as you will see in some of the references shared below.

     

    Az Log Integrator:

    1. Intro & Overview of Log Integrator service
    2. Azure Log Integration FAQs

     

    EventHubs:

    1. Intro & Overview of EventHubs
    2. Feature Sets
    3. EventHub FAQs


    Tutorial: Using Log Integrator w/ Event Hubs.

    This tutorial walks you through the process of taking Azure Key Vault activity logged to an event hub and making it available as JSON files to your SIEM system. You can then configure your SIEM system to process the JSON files.

     

    Please don’t hesitate to ping if you have any questions.

     

    Cheers,

    Tuesday, April 17, 2018 10:32 PM
    Moderator
  • Thanks Femisulu!

    I guess where I am confused is getting the other elements logged in syslog version out of Azure to my SIEM that does not have a connector. I know AZLOG has the JSON folders in the AZLog user folder, but how do I get syslog from the say Resource Manager, Diagnostics, and Security Center? Do I need to stream them to an event hub and then grad them all from the EventHub folder on the AZLog server?

    I've been able to configure VMs to log to a storage account and then pull them into the AZlog server from the account into forwarded events, but it seems like the other Azure logs are a different animal and I have not seen instructions for those ones. Thank you so much.

    Wednesday, April 18, 2018 5:38 PM
  • Sorry for the delay, perhaps your idea of streaming to Evenhubs may be a feasible path. What is your SIEM vendor? I can try to find a connector that would work. Alternatively, there's also the option of building a custom connector. I will dig internally to try to find you a helpful tutorial.

    Cheers.

    Friday, April 20, 2018 5:56 AM
    Moderator
  • Hi,

    Any solution on this thread?

    We are also facing the same scenario where we need to ingest logs from app insights to SIEM (LogRhythm).

    Thanks,

    Nitin


    Thursday, June 20, 2019 2:24 AM