Introduction to Microsoft Azure log integration

Learn about Azure log integration, its key capabilities, and how it works.

Overview

Azure log integration is a free solution that enables you to integrate raw logs from your Azure resources in to your on-premises Security Information and Event Management (SIEM) systems.

Azure log integration collects Windows events from Windows Event Viewer logs, Azure Activity Logs, Azure Security Center alerts, and Azure Diagnostic logs from Azure resources. This integration helps your SIEM solution provide a unified dashboard for all your assets, on-premises or in the cloud, so that you can aggregate, correlate, analyze, and alert for security events.

Note

At this time, the only supported clouds are Azure commercial and Azure Government. Other clouds are not supported.

Azure log integration

What logs can I integrate?

Azure produces extensive logging for every Azure service. These logs represent three types of logs:

  • Control/management logs provide visibility into the Azure Resource Manager CREATE, UPDATE, and DELETE operations. Azure Activity Logs is an example of this type of log.
  • Data plane logs provide visibility into the events raised as part of the usage of an Azure resource. An example of this type of log is the Windows Event Viewer's System, Security, and Application channels in a Windows virtual machine. Another example is Diagnostics Logging configured through Azure Monitor
  • Processed events provide analyzed event and alert information processed on your behalf. An example of this type of event is Azure Security Center Alerts, where Azure Security Center has processed and analyzed your subscription to provide alerts relevant to your current security posture.

Azure Log Integration supports ArcSight, QRadar, and Splunk. In all circumstances, please check with your SIEM vendor to assess whether they have a native connector. In some cases, you will not need to use Azure Log Integration when native connectors are available. For additional information on supported log types please visit the FAQ.

Note

While Azure Log Integration is a free solution, there are Azure storage costs resulting from the log file information storage.

Community assistance is available through the Azure Log Integration MSDN Forum. The forum provides the AzLog community the ability to support each other with questions, answers, tips, and tricks on how to get the most out of Azure Log Integration. In addition, the Azure Log Integration team monitors this forum and will help whenever we can.

You can also open a support request. To do this, select Log Integration as the service for which you are requesting support.

Next steps

In this document, you were introduced to Azure log integration. To learn more about Azure log integration and the types of logs supported, see the following: