SmartConnector for Microsoft Azure Monitor Event Hub


The Microsoft Azure Monitor Event Hub guide can be found here


Smart Connectors
Comment List
  • Please I need to know the exact documentation of how to connect existing EventHub to on-prem ArcSight connector.

    I'm stack here and don't know how to proceed after pushing my logs to EventHub on Azure.

    Please help

  • Hello, has anyone been successful in getting this to work? I only have the option to config the connector, a vendor is hosting the event hub. 


    Yes, all .map files are original from installation. However, I got suggestion from support to upgrade "Arcsight Azure Monitor EventHub Connector 7.10.0" to 7.13 (latest version). But I am not sure how to upgrade this in Azure.

    Have you upgraded the connector, if yes could you please guide me.




  •  , Congrats, we experienced the same struggles.
    We do receive Security Center Logs. The events are partially parsed in a proper way. Lots of crucial data is 'summarized' in cs1-5 fields. That is why we wanted to change the .map files like the config guide describes in my previous post.
    We noticed that when the .map files are altered, the events will not be processed. Are all your .map files still original from installation?

    Also keep in mind that restarting the ArcSight connector, also requires to restart the Azure Function, for it will stop sending when the periodic connectivity check has failed. 

  • With much of the difficulties we were able to get Azure logs in Arcsight but still struggling to get Security Center logs. It seems the existing parser does not parse the complete logs from security center. 

    Does any one face the same issue.  Please help how can we get security center logs in Arcsight.



  • Hi,
    Anyone here already tried creating a custom .map file?
    I followed the config manual and tried multiple times, but even the most basic troubleshooting map file doesn't seem to make a difference. For example as a test putting the eventName/value in cs1 doesn't fill the field.
    The function log says the map file is processed correctly and 0 unprocessed events.
    Also just for troubleshooting removing all the map files leaves you with 0 events being sent, So the map files do work, but unable to modify like the guide says? 

  • Hi all,

    By testing with a major Azure client, we don't believe it is the right way to go.

    First of all, it seems that ArcSight isolated the JAR files from the SmartConnector, to put it in an Azure Service Plan. So it is practically a SmartConnector running "natively" on Azure, that gets its input from an Azure EventHub. The output should of course go to a syslog-ng somewhere, so it makes sense.

    The problem is that the setup is very complex and had much troubleshooting, just to get the "supported" logs from one Azure subscription.

    I think the best way is to get your hands dirty and right with Python a script that is able to extract logs from either:

    1. Azure Graph API / Insights API
    2. Or send the Azure logs to Azure Log Analytics (OMS) and query the analytics API

    Of course, you have to create the CEF format within the code you create.

    It has difficulties of course, but you totally control the pipeline this way.

  • i tried to configure the Smartconnector , but need to verify the actual working of the Smart connector, as it seems to forward logs from Azure to Arcsight Syslog directly, but how is the flow in the Azure for conversion and Storing in Azure, whether it converts the logs from JSON to CEF and stores the CEF and forwards it OR  Keeps the logs Just converts the logs in CEF format and sends it, rather than storing it, these things are still not clear in the documentation.

  • Hi,

      I installed this is I would like to share my knowledge.

      This is not a real connector and it does not install a standard Arcsight connector, it will setup everything it need in the cloud.  You will need a Syslog NG connector to get the data and this can be installed in or out of the cloud.  You will also need a Windows server in the cloud to run the Powershell script to configure your Azure cloud (this is included in the zip).

      1- Setup a Syslog NG connector with TLS in or out of the cloud, obviously if it is out of the cloud it need to be accessible from the cloud.

      2- From the Windows server in the cloud you run the Powershell script to setup everything,   Follow the install insruction in the documentation.  You dont need to keep the server unless you want to rerun the config or upgrade the install.

      3- There is a lot of stuff to be configured and it may take a few run to make it work.

  • I am also having challenges in understanding the architecture of this connector set up. The event hub connector most likely has to be set up on a Windows Server in Azure because it has to create all the event hubs and namespaces etc. What's unclear, is where the Syslog NG smartconenctor needs to be installed. Can it be installed on premises, or does it have to be on a Server in Azure as well? I'm assuming and hoping it's the former, but the documentation is very unclear and confusing. In fairness, it has a lot of detail, but just really needs a review to put it all together in a more coherent and consistent manner.

    Also, it would be very helpful to have an idea of the minimum spec that the event hub connector server needs to be. I know it will vary by size of subscription, but some examples from the field would be really great as a starting point! :-)