locked
How to process Azure Log events from Event hub and filter based on criteria RRS feed

  • Question

  • How to process Azure Log events from Event hub and filter based on criteria.

    We are trying to filter specific critical or security related Diagnostic and Activity logs before feeding into our Onprem SIEM solution.

    Can someone please guide me how to filter the data from Event hub and then re-ingest into another event hub. Weather this is possible or any other alternatives available out there.

    At a high level , the flow is shown below. Source from Diagnostic Logs (Monitor) -> Event Hub -> Filter/Query -> Event Hub

    Saturday, March 14, 2020 1:42 AM

All replies

  • Thanks for reaching out! AFAIK , Its not possible to filter out Windows event data before ingesting into log analytics. One suggestion which might work is that you can filter data using a Powershell script and store it in different location and use Custom Logs feature to ingest data into log analytics.

    You can share the product feedback or suggestions directly with responsible Azure feature team here.

    Hope this helps!

    Monday, April 6, 2020 4:29 AM