question

NoumanKhan-9736 avatar image
0 Votes"
NoumanKhan-9736 asked NoumanKhan-9736 commented

Azure Solution for Streaming Logs - SIEM

Hello,

I am planning to use Azure sentinel for my on-premises and cloud workloads/devices.
Like any other SIEM solution, Sentinel requires you to have a log collector where all the devices(Syslog,CEF) can send the logs and than they are transported to Sentinel for analysis.
Now, i have a large no of devies - in thousand. The main issue is that each time I change my SIEM/syslog solution, I need to point the devices to the next log collector - a different IP - it is a hectic job. Secondly, log collectors are proprietary and require engineering to maintain high-availability and reliability.

Can i have a middleware where we can send the logs and later send to any SIEM, etc for analysis? In this way we donot have to edit the devices config each time the SIEM solution is changed?

Can Azure data factory do this job? Stream the logs to Data Factory and than send the Sentinel/SIEM?
Are there any downsides to this approach?

thanks foe the support.

azure-data-factorymicrosoft-sentinelazure-ad-audit-logsazure-data-lake-analytics
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

garybushey avatar image
0 Votes"
garybushey answered NoumanKhan-9736 commented

You can also take a look at using an Event Hub but you would need to write a Logic App or Azure Function (probably better) to ingest the data into MS Sentinel.

BTW, why do you have to change your syslog solution? Can't you create a high-availability solution behind a single IP address?

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NoumanKhan-9736 avatar image NoumanKhan-9736 ·

HI Gary,

In my scenario, currently, i am migrating from an old SIEM to a new SIEM solution. Log sources are configured to send the logs to old log collector.
I am not completely decommissioning the old SIEM. I need the old and new SIEM to work on parallel until the new SIEM is stable. Some of the log sources don't have the option to send logs to two collectors. Also, it put load on my device when the traffic/transactions are high.
I need a middleware that can take the logs and then distribute/replicate it to both the old and new collectors.

Any suggestions will help.

0 Votes 0 ·
alfredorevilla-msft avatar image alfredorevilla-msft NoumanKhan-9736 ·

Hello @noumankhan-9736, do you still need help for this issue?

0 Votes 0 ·
NoumanKhan-9736 avatar image NoumanKhan-9736 alfredorevilla-msft ·

Dear @alfredorevilla-msft
Yes, i do. I am still looking for the right solution.
May be MS does not have a native sol for this type of streaming - this may be a solution

https://www.elastic.co/logstash/

0 Votes 0 ·