SmartConnector for Microsoft Azure Monitor Event Hub

SmartConnector for Microsoft Azure Monitor Event Hub

Labels (2)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.

Hi Daniela,

Within the content of the pdf a zip file is referenced.
This is nowhere to be found...

In the past, there was a Supporting Files folder within the SmartConnectors Documentation ZIP file. Latest version it does not exist.. I expected the referenced file to be there.



Can anyone please wake Daniela up. 

I need this file also

The hunting of the zip file......

Thanks to Arcsight support guys from Prague .The mystery has been resolved...

there is a typo in documentation ... 

the file located to the same location with connector binaries... and the name is

Hi, thanks for clarifying the emitter file name.  I also had some other issues/questions, See support ticket SD02362634.  I recommend to clarify if this solution is able to be installed on premise.  I was given two different answers.   Page 6 says "Certified Platforms for Azure Event Hubs Deployment Operating System: : Microsoft Windows Server 2012 ( in the cloud with Azure)."   Can the Windows 2012 server the connector is installed on be on premise?  or does it required to be in Azure infrastructure?  My syslog connectors are on prem.  Thanks!

This is a somewhat different connector/solution and i'm still on the fence to put effort in to deploy it due to its complexity.  Also, we might have to pay extra for Azure Function App / monitor data usage.    At the moment, i'm specifically interested in sign-in logs and I am able to view the log data in Azure.  There are lots of fields available!  However, it would be very helpful to know what data fields this solution collects.  A 'Device Event Mapping to ArcSight Fields / Mappings' section of this guide will be very helpful for me to understand the data that this is able to collect and justify utilizing this connector.  Even some ESM screenshots of sample data would be helpful.  Thanks!

Does Azure EventHub connector support App Service Environment Isolated

According to the document it has App service plan and Consumption

We are also looking into the Azure Event HUB connector for ArcSight replacing Microsoft AZLog which is EOL in June 2019.

The questions we have:

1. We would like a clear cut in setting up the Event Hub in Azure itself and actually consuming the events from it. In the current version of the docs it states that upon install the Event Hubs are created inside Azure.  Is there a possibility to attach/connect the connector to an existing Event Hub inside Azure?

2. There is no information on capacity/throughput provided in the docs, can anyone state how much events they are pushing towards the ArcSight environment on-prem using this Azure event HUB approach?


Regards, Richard




Need the connector. Also need information on how to go ahead with configuration. The connector is on premise (windows server 2012) and not on Azure cloud.

Thank you we are now looking into the details on how to implement it.

The Question I got is whether this adapter uses a push or pull mechanism to get event data from Azure Functions to the on-premises ArcSight Connector appliance.

The documenatation is not very extensive on how this works. We migt have other follow up questions, if they arise I will post it


I am also having challenges in understanding the architecture of this connector set up. The event hub connector most likely has to be set up on a Windows Server in Azure because it has to create all the event hubs and namespaces etc. What's unclear, is where the Syslog NG smartconenctor needs to be installed. Can it be installed on premises, or does it have to be on a Server in Azure as well? I'm assuming and hoping it's the former, but the documentation is very unclear and confusing. In fairness, it has a lot of detail, but just really needs a review to put it all together in a more coherent and consistent manner.

Also, it would be very helpful to have an idea of the minimum spec that the event hub connector server needs to be. I know it will vary by size of subscription, but some examples from the field would be really great as a starting point! 🙂


  I installed this is I would like to share my knowledge.

  This is not a real connector and it does not install a standard Arcsight connector, it will setup everything it need in the cloud.  You will need a Syslog NG connector to get the data and this can be installed in or out of the cloud.  You will also need a Windows server in the cloud to run the Powershell script to configure your Azure cloud (this is included in the zip).

  1- Setup a Syslog NG connector with TLS in or out of the cloud, obviously if it is out of the cloud it need to be accessible from the cloud.

  2- From the Windows server in the cloud you run the Powershell script to setup everything,   Follow the install insruction in the documentation.  You dont need to keep the server unless you want to rerun the config or upgrade the install.

  3- There is a lot of stuff to be configured and it may take a few run to make it work.

i tried to configure the Smartconnector , but need to verify the actual working of the Smart connector, as it seems to forward logs from Azure to Arcsight Syslog directly, but how is the flow in the Azure for conversion and Storing in Azure, whether it converts the logs from JSON to CEF and stores the CEF and forwards it OR  Keeps the logs Just converts the logs in CEF format and sends it, rather than storing it, these things are still not clear in the documentation.

Hi all,

By testing with a major Azure client, we don't believe it is the right way to go.

First of all, it seems that ArcSight isolated the JAR files from the SmartConnector, to put it in an Azure Service Plan. So it is practically a SmartConnector running "natively" on Azure, that gets its input from an Azure EventHub. The output should of course go to a syslog-ng somewhere, so it makes sense.

The problem is that the setup is very complex and had much troubleshooting, just to get the "supported" logs from one Azure subscription.

I think the best way is to get your hands dirty and right with Python a script that is able to extract logs from either:

  1. Azure Graph API / Insights API
  2. Or send the Azure logs to Azure Log Analytics (OMS) and query the analytics API

Of course, you have to create the CEF format within the code you create.

It has difficulties of course, but you totally control the pipeline this way.

Anyone here already tried creating a custom .map file?
I followed the config manual and tried multiple times, but even the most basic troubleshooting map file doesn't seem to make a difference. For example as a test putting the eventName/value in cs1 doesn't fill the field.
The function log says the map file is processed correctly and 0 unprocessed events.
Also just for troubleshooting removing all the map files leaves you with 0 events being sent, So the map files do work, but unable to modify like the guide says? 

With much of the difficulties we were able to get Azure logs in Arcsight but still struggling to get Security Center logs. It seems the existing parser does not parse the complete logs from security center. 

Does any one face the same issue.  Please help how can we get security center logs in Arcsight.



@hemant.sudhansh , Congrats, we experienced the same struggles.
We do receive Security Center Logs. The events are partially parsed in a proper way. Lots of crucial data is 'summarized' in cs1-5 fields. That is why we wanted to change the .map files like the config guide describes in my previous post.
We noticed that when the .map files are altered, the events will not be processed. Are all your .map files still original from installation?

Also keep in mind that restarting the ArcSight connector, also requires to restart the Azure Function, for it will stop sending when the periodic connectivity check has failed. 


Yes, all .map files are original from installation. However, I got suggestion from support to upgrade "Arcsight Azure Monitor EventHub Connector 7.10.0" to 7.13 (latest version). But I am not sure how to upgrade this in Azure.

Have you upgraded the connector, if yes could you please guide me.




Hello, has anyone been successful in getting this to work? I only have the option to config the connector, a vendor is hosting the event hub. 

It's not clear where i modify the script:

location=West US
adapplicationSecretDesc=arcsight key
activityLogSubscriptionLoc=["australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth", "japaneast", "japanwest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "southcentralus", "southindia", "southeastasia", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "global"]


Top Contributors
Version history
Revision #:
17 of 17
Last update:
‎2020-08-19 06:55
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.