Introduction to Azure Log Integration

Important

The Azure Log integration feature will be deprecated by 06/01/2019. AzLog downloads will be disabled by Jun 27, 2018. For guidance on what to do moving forward review the post Use Azure monitor to integrate with SIEM tools

Azure Log Integration was made available to simplify the task of integrating Azure logs with your on-premises Security Information and Event Management (SIEM) system.

The recommended method for integrating Azure logs is to use your SIEM vendor�s connectors. Azure Monitor provides the ability to stream the logs into event hubs, and SIEM vendors can write connectors to further integrate logs from the event hub into the SIEM. For a description of how this works, follow the instructions in Monitor stream monitoring for data event hubs. The article also lists the SIEMs for which direct Azure connectors are already available.

Important

If your primary interest is collecting virtual machine logs, most SIEM vendors include this option in their solution. Using the SIEM vendor's connector is always the preferred alternative.

The documentation on the Azure Log Integration feature is still being maintained until the feature is deprecated.

Read further to learn more about the Azure Log Integration feature:

Azure Log Integration collects Windows events from Windows Event Viewer logs, Azure activity logs, Azure Security Center alerts, and Azure Diagnostics logs from Azure resources. Integration helps your SIEM solution provide a unified dashboard for all your assets, whether on-premises or in the cloud. You can use a dashboard to receive, aggregate, correlate, and analyze alerts for security events.

Note

Currently, Azure Log Integration supports only Azure commercial and Azure Government clouds. Other clouds are not supported.

The Azure Log Integration process

What logs can I integrate?

Azure produces extensive logging for each Azure service. The logs represent three log types:

  • Control/management logs: Provide visibility into the Azure Resource Manager CREATE, UPDATE, and DELETE operations. An Azure activity log is an example of this type of log.
  • Data plane logs: Provide visibility into events that are raised when you use an Azure resource. An example of this type of log is the Windows Event Viewer's System, Security, and Application channels in a Windows virtual machine. Another example is Azure Diagnostics logging, which you configure through Azure Monitor.
  • Processed events: Provide analyzed event and alert information that are processed for you. An example of this type of event is Azure Security Center alerts. Azure Security Center processes and analyzes your subscription to provide alerts that are relevant to your current security posture.

Azure Log Integration supports ArcSight, QRadar, and Splunk. Check with your SIEM vendor to assess whether the vendor has a native connector. Don't use Azure Log Integration if a native connector is available.

If no other options are available, consider using Azure Log Integration. The following table includes our recommendations:

SIEM Customer already uses the Azure log integrator Customer is investigating SIEM integration options
Splunk Begin migrating to the Azure Monitor add-on for Splunk. Use the Splunk connector.
QRadar Migrate to or begin using the QRadar connector that's documented in the last section of Stream Azure monitoring data to an event hub for consumption by an external tool. Use the QRadar connector that's documented in the last section of Stream Azure monitoring data to an event hub for consumption by an external tool.
ArcSight Continue to use the Azure log integrator until a connector is available, and then migrate to the connector-based solution. Consider using Azure Log Analytics as an alternative. Don't onboard to Azure Log Integration unless you are willing to go through the migration process when the connector becomes available.

Note

Although Azure Log Integration is a free solution, there are Azure storage costs associated with log file information storage.

If you need assistance, you can create a support request. For the service, select Log Integration.

Next steps

This article introduced you to Azure Log Integration. To learn more about Azure Log Integration and the types of logs that are supported, see the following articles: