Question

Brian Mahle on Fri, 17 Nov 2017 21:26:13


 

Hi,

I have an Azure Log Integration Service up and running on an Azure Windows 2012 VM.  It is successfully receiving Azure AD logs from a AADB2C tenant.  I see the logs in the following paths...

c:\Users\azlog\AzureActiveDirectoryJson

c:\Users\azlog\AzureActiveDirectoryJsonLD

I have configured a destination (LogStash)...

PS C:\Program Files\Microsoft Azure Log Integration> Get-AzLogEventDestination


Name         : QRadarConsole1
Type         : Syslog
Path         :
SyslogServer : 10.19.11.198
SyslogPort   : 5140
Id           : 418ddc93-cb59-4cd1-a2e4-100d4ba21900

I have yet to see any logs be forwarded to the SysLog destination.  

Any help would be great!



Sponsored



Replies

mattyinwi on Tue, 28 Nov 2017 21:25:31


I currently have a support case opened with Microsoft for this exact issue... they are currently claiming that AzLog doesn't forward logs over syslog, even though I can confirm that forwarding over syslog works great for AzureResourceManager and AzureSecurityCenter logs, just not AzureActiveDirectory logs, using the Add-AzLogEventDestination method you mentioned.

I'll put in an update if I hear anything back from support.

Brian Mahle on Fri, 01 Dec 2017 14:59:36


Thanks mattyinwi.

I have a support case yielding the same results.  I'm implementing a work-around now using FileBeat to forward the JSON logs to LogStash.

mattyinwi on Thu, 07 Dec 2017 17:12:44


Unfortunately, sounds like we are on our own for sending logs on from AzLog. This is the final answer I got from Microsoft:

Hello Matthew,

I just find out this is not a supported scenario at this point, all AzLog will do is save the AD logs to any of the JSON folders we’ve mentioned before, after that there is work involved in QRadar to make it work (you might want to engage QRadar) or alternatively you can develop a custom log source.

I ended up just writing a quick PowerShell script to grab the JSON logs as they come in and send them out over syslog.

dscott_sygnacorp on Wed, 10 Jan 2018 00:21:24


I see MS documents to stand up (2) systems -- a machine that will run the Azure Log Integration service and a machine that will be monitored and have its logging information sent to the Azlog service machine.

  • A machine you want to monitor – this is a VM running as an Azure Virtual Machine
  • A machine that will run the Azure log integration service; this machine will collect all the log information that will later be imported into your SIEM.

Is it technically necessary to have a dedicated VM running the Azure Log integration service or can that be installed on the same Azure VM (the machine you want to monitor)?  I presumed MS broke that out for performance reasons.  I'm curious for small instances if there are any technical barriers?