Azure Activity Logs in Elastic

Kosodrom · February 19, 2021, 12:21pm

Hi,

currently we are tryting to ship logs from azure eventhub to logstash. We use this: Azure Event Hubs plugin | Logstash Reference [7.11] | Elastic to forward the logs to elastic cluster.

As far as I have learnt from the documentation: Azure Activity Log event schema - Azure Monitor | Microsoft Docs it looks like the log schema differs when you are sending it to the azure event hub, which means it differs from what you can see in azure.

Due to this I miss some information at the end in elastic, for example resourceGroupName, which is quite important to filter and aggregate the logs.

Is there anyone who is facing same issue and if yes how are you dealing with it?

Is there any way to adjust the event hub or diagnostic settings in a certain way so it forwards the logs in the exact same format as you can see them in your azure resource? Or are you adding these information (like the resource group names) in your logstash filter to every event?

Thanks for any feedback

willemdh · February 19, 2021, 1:52pm

Hello,

I would advice you to take a look at the Filebeat Azure module instead of the Logstash input.

Grtz

Kosodrom · February 19, 2021, 2:00pm

Thanks for feedback. What are the benefits of doing this? I'd need another agent to run "somewhere", which I need to take care of.

willemdh · February 19, 2021, 6:04pm

Correct, also it only works for activity, signin and audit logs. But it works well and is "easy" to set up.

Kosodrom · February 22, 2021, 11:28am

Ok nevertheless it won't solve my problem that the azure activity logs are getting shipped in different format from what you see in azure.

system · March 22, 2021, 11:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.