Monitoring Azure Logs

Monitoring and consolidating cloud-based logs from Azure requires the following configuration steps. Please note that new EventSentry v6.x installations do not require most of these manual steps, most required objects (with the exception of authentication credentials) are already setup.

1. Setup App Registration in Azure/Office365
2. Setup "Microsoft Cloud" Authentication Credentials
3. Download Azure Log File Definitions
4. Create/Update Log File objects
5. Create & configure log file packages

1. Setup App Registration in Azure/Office365

Refer to KB article 518 to setup the required app registration and permissions

2. Setup "Microsoft Cloud" Authentication Credentials

In the EventSentry management console, navigate to Tools -> Authentication Manager and click the + icon to add new authentication credentials of type "Microsoft Cloud". Click the Test button to verify the credentials and add them.

3. Download Azure Log File Definitions

Continue to Packages -> Update to access the package update manager. Click Update and for the Package Manager dialog to appear. Review the Log File Definitions area and select any Azure logs you want to import. Do not update any other packages by clicking (Un)Select All. If no Azure logs appear then they are likely already present on this host.

After importing or confirming that no additional log definitions exist, click on Log Files and Define Files and confirm that the required log definitions show up in Log File Definitions.

4. Create/Update Log File objects

Next, click the + icon in the Log Files section to add a log file object for each Azure log you want to monitor. You only need to provide the following:

1. Name: Enter a descriptive name
2. File Definition: Select one of the available Azure log file definitions
3. Click Authentication to assign at least one type of Microsoft Cloud credential

Leave the path empty and click OK.

If the log file object already exists then simply double-click the entry and click Authentication to assign at least one type of Microsoft Cloud credential to the file object.

5. Create & configure log file packages

Click on Log Files & API and click the green Add in the ribbon to create a new log file package. Give the package a descriptive name, it can be the same as the log file object (e.g. Azure Directory Audit). Click the newly created package, click Assign and assign the package to the host where the EventSentry Sync service is installed, usually the host where EventSentry is installed.

Next, click the Add button in the Log File section in the ribbon and select the previously created log file object. You can select multiple objects as well. This will add the log file to the package and automatically select it.

Click the Database Consolidation tab to add one or more databases to the object and setup inclusions or exclusions (if necessary). Click the Event Log Alerts tab to configure event log alerts for specific log entries (optional).

Save the configuration, logs should start populating in the EventSentry Web Reports under FEATURES -> Logs -> Delimited Log Files. If multiple log files are monitored then the desired log file definition name will need to be selected.