Question

Palchak on Fri, 14 Feb 2020 04:53:33


My customer is planning to use Event Hub and planning to send Diagnostic Settings Data for Azure Platform Logs to Event Hub and the Event Hub would be connected to Splunk as the Consumer of the event

So the URI below mentions how to configure an Event Hub or a Log Analytics Workspace or an Azure Storage Account to do this

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings 

Apart from this, my customer also has the requirement to send Windows IaaS VMs perfmon logs and various event logs like Application, Security and System pertaining to the VM or say Crash Dump logs of the particular VM  to the same  Event Hubs where  Splunk will then  gather the data from there .

To send all these VM data to Event Hub, you need to first install the Diagnostic Extension on a VM and then configure a Sink 

It seems only Diagnostic Extension can send data to Event Hub and not Dependency Agent or a Log Analytics Agent as per the URI below

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview 

Also, there is no way to configure Event Hub as a SINK using the portal and the method mentioned by Microsoft to configure an Event Hub Sink  to send this Diagnostic Extension Data is pretty confusing and not very clear as per the below URI

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/stream-monitoring-data-event-hubs 

So i would like to know :

1) If Security Center is using Log Analytics Workspace as a  data repository and Log Analytics Agent or MMA (Microsoft Management  Agent) is responsible for sending both Azure Platform Data and Azure VM data to a Log Analytics Workspace , so do i then need to configure separately this Azure Diagnostic Extension and send the data to Event Hub and then to Splunk or connecting Splunk to Security Center and gathering the data from Security Center include everything ,both Platform Logs and Azure VM logs and metrics as mentioned above

2) Is MMA (Microsoft Management Agent) and Microsoft Monitoring Agent , both same? In the Log Analytics Agent documentation below it says Microsoft Management Agent 

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview#log-analytics-agent

When i try to check the extensions in a particular VM , it shows Microsoft Monitoring Agent as attached in the screenshot, so i am a bit confused why the Middle M is different in both the places


Pallab Chakraborty

Replies

SaurabhSharma-MSFT on Tue, 25 Feb 2020 21:30:05


Here are your answers -

1) In order to move your Azure Security Center alerts to a partner SIEM solution you need to complete few steps which includes configuring Azure Monitor and the Event Hub.  The Security alerts produced by Security Center are published to the Azure Activity logs and then Azure Monitor enables you to get your Activity log data to an Event Hub where it can be read by a SIEM solution like Splunk.   Please refer to the documentation which provides details around the SIEM integration.

However, there is another feature available in preview (not recommended for production) which enables you to export data to a SIEM without using Activity log as an intermediator and allows direct export from Security Center to EventHubs and then your SIEM.  Please refer to the documentation for details.

2)  I believe the documentation is wrong and it should be specifying it as Microsoft Monitoring Agent and not Microsoft Management Agent. I will check with the documentation author on the same to update the documentation if that's the case.  Also, the Microsoft Monitoring Agent is now referred as Log Analytics agent and they are same.

Marilee Turscak - MSFT on Fri, 28 Feb 2020 01:03:43


Please let us know if this helped answer your question. If so, please remember to mark as answer so that others in the community with similar questions can more easily find a solution.