Configuring Azure Event Hubs for Azure AD & Azure Monitor

Required Blumira Module: Microsoft Azure Event Hub 

Configuring an Event Hub Namespace

1. Go to https://portal.azure.com/ and log in.
2. Click on “Event Hubs” (in left-most menu), then on the “+ Add” button
3. Create a Resource Group if you do not already have an appropriate group, or, select an existing Resource Group.
4. Choose an event hub namespace name. (Sample: Blumiralogs)
5. Select the Location and Pricing tier you want to use.
6. If desired, add Availability Zone features and Tags, click Review + Create.

Click on the Event Hub you just created once Azure is done with the creation process.

1. Click “Shared access policies” (in second-left-most menu).
2. Click “+ Add” to add a new policy.
3. Choose name, such as “ReadOnlyAccessKey”.
4. Check only the Listen check box.
5. Click Create button.
6. Click on the policy you just created. Make a note of the connection string primary key field for later use.

Configuring an Event Hub

Note that this step is not required for all types of logs.  Some log sources automatically create their own event hub within the namespace you created above.  Blumira recommends creating an Event Hub for sake of clarity.

1. In the Azure portal, click on “Event Hubs”
2. Click on the event hub namespace you want to use for Blumira logs.
3. Click “Event Hubs”
4. Click “+ Event Hub” to add a new event hub.
5. Choose an event hub name like blumira-log-stream.
6. Select Create

Configure Azure to Send Logs to an Event Hub

Azure Monitor

Note: Azure Monitor creates its own event hub called “insights-operational-logs”. You must still create an event hub namespace, but can skip creating an event hub.

1. Go to https://portal.azure.com/ and log in.
2. Click All Services, then on Subscriptions.
3. Click on the Azure subscription you want to monitor.
4. Click on “Resource providers”.
5. Search for Microsoft.Insights, click on that, then click Register. (If already registered, move on to next step)
6. Back in the Azure subscription that you selected in step 3, click on Monitor, then Activity Log.
7. Click on Diagnostics Settings

 

• Click Add Diagnostic Setting
  1. Select all Log types under Category details
  2. Select Stream to an event hub
  3. Select the Subscription and namespace that the event hub is in if not pre-filled
  4. Select the Event hub name, that you made previously
  5. Select the RootManageSharedAccessKey policy
  6. Click Save at the top

• You are now forwarding all Monitoring logs out of your Azure environment to event hub.

 

Azure AD

Note: Azure AD can optionally create its own event hub called “insights-logs-audit”.  If you prefer to use a different event hub, you must create it first using the procedure above.

1. Go to https://aad.portal.azure.com and log in.
2. Click on Azure Active Directory
3. Click on Audit Logs (in monitoring section of left menu)
4. Scroll down the left menu and click on Add Diagnostics Setting
5. Enter a name for this setting, such as “Blumira events“
6. Check “Stream to an event hub“.
7. Click Event hub Configure.
8. Select your event hub namespace
9. Select your event hub that you previously identified (or use default “insights-logs-audit”)
10. Use policy RootManageSharedAccessKey.
11. Click OK to save event hub configuration.
12. Check “AuditLogs” and “SignInLogs”
13. Click Save (at top)

Configuring Blumira to Fetch Logs From the Event Hub

1. Log in to app.blumira.com
2. Go to Infrastructure / Sensors
3. Click on the sensor where you want to poll for event hub logs.
4. Scroll down to the Modules section and click Add Module.
5. Choose Microsoft Azure Event Hub Module
6. Event Hub Connection String – The string you grabbed from the “Connection Primary Key”
7. Event Hub Name – The name created for the event hub
8. Click Install.

Firewall Port Requirements:

• If you filter your outbound traffic you will need to allow the following ports for Event Hubs communication and authentication:
  • TCP/443
  • TCP/5671
  • TCP/5672