Highlighted
rochfo Super Contributor.
Super Contributor.
876 views

Azure Logs

Hi,

What are the options for capturing Azure events. Is this all being pushed into the Arcsight Smartconnector now?
0 Likes
2 Replies
AutomaticReply Absent Member.
Absent Member.

Re: Azure Logs

rochfordp,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
sujithhere Absent Member.
Absent Member.

Re: Azure Logs

Hi,

Sentinel, though not officially announced(as the certification process is not completed), should now be able to support Azure events with the latest Arcsight Azure smart connector release.
Currently, the documentation for Azure smart connector speaks only about Arcsight ESM as the SIEM solution that needs to be used, but it will work with Sentinel as an SIEM at the other end as well. So for capturing and forwarding Azure events, first download and deploy the Azure smart connector in your Azure environment (follow the documentation) and then configure this connector by giving the IP/Port details of Sentinel's (instead of Syslog NG smartconnector as mentioned in the doc) syslog server. But make sure that, the port should be publicly available or should be in the same VNET as the Azure connector. Once events reach the Sentinel syslog connector, a Universal CEF collector will be created automatically to parse the incoming events in CEF format. Events will then be forwarded to Sentinel server after parsing.

Except for mentioning Sentinel's syslog server as the destination IP/port, the rest of the configuration can be same as mentioned in the Azure connector doc. When you use this smart connector with Sentinel, the one thing you might need to keep in mind is the incoming load. Please check and make sure that your incoming load from Azure is not too high so that it will pull down the Sentinel server. For Arcsight ESM, we are recommending the usage of a load balancer to which the events first gets forwarded to, so that it can forward the events in a balanced manner to Arcsight ESM, in case of a high load. You should be able to use the same Arcsight load balancer for Sentinel if the load requirements are high, but at this point this is not tested and certified with Sentinel.

Please refer to the Arcsight Azure smart connector documentation for further details.
https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.