Skip to main content
Skip table of contents

Configure Azure Event Hubs Using Connection Strings

Prerequisites

The Beat requires the following three sets of input:

  • Azure Storage Account Connection String. This string keeps position and state information (what LogRhythm has collected so far from each Event Hub). The Event Hubs beat will use this storage account to create the storage container, if it is not already configured in the Azure portal within this storage account. 

    The Storage Account Connection String is in the following format:

    DefaultEndpointsProtocol=https;AccountName={StorageAccountName};AccountKey={Key};EndpointSuffix=core.windows.net

  • A list of Event Hub Connection Strings. An Event Hub Connection String must be provided for every Event Hub within the Namespace.

    The Event Hub Connection Strings are in the following format:

    Endpoint=sb://{EventHubNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key};EntityPath={EventHub}

    When you configured the Activity and Diagnostic logs, you selected an Event Hub Namespace. Each type of Azure log creates a new Event Hub within this Namespace. If you configure a new type of Diagnostic log in the future, Azure may create a new Event Hub, and you will need to update the Beat configuration. 

  • A list of Storage Container Names. Each Event Hubs Connection String must have a valid storage container name. If a provided storage container has not been created in the Azure portal within the given storage account, then the storage container will be created with the name provided. 

    The storage container name may only contain lowercase letters, numbers, and hyphens, and must begin with a letter or a number. Each hyphen must be preceded and followed by a non-hyphen character. The name must also be between 3 and 63 characters long. If a user enters an invalid storage container name, then LRCTL CLI will ask for a valid storage container name again.

Configure Your Firewall

The LogRhythm Event Hub Beat communicates with Azure over the following ports:

  • 5671 using the AMQPS protocol
  • 443 using the HTTPS protocol
Ensure the ports above are open for outbound traffic from your Linux VM and any firewalls.

Configure the Storage Account

To configure a storage account for the Azure Event Hubs beat:

  1. Open the Azure Storage Accounts service.

  2. Select an existing storage account, or create a new storage account by following the steps below.   

    In the Account kind field, LogRhythm recommends that you select StorageV2 (general purpose v2), as Microsoft may deprecate Storage (general purpose v1) in the future.
    1. To create a new storage account, click on Create.
    2. In the Subscription field, select Pay-As-You-Go.
    3. In the Resource group field, select DefaultResourceGroup-CUS or create a new resource group by clicking Create new.

    4. Enter a unique Storage account name.

      Leave the RegionPerformance, and Redundancy fields set to their defaults.

    5. Click Review + create.
    6. Click Create to complete the storage account creation.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            

  3. In the menu of the selected (or newly created) storage account, click Access keys.

  4. Copy a connection string from any key and paste it somewhere easily accessible. You will need this key to Initialize the Event Hubs Beat Using Connection Strings.   

Configure the Event Hubs

To get an Event Hub Connection String within the Namespace:

  1. In your Azure Portal, click All Services, Analytics, and then click Event Hubs.

  2. Select the existing Event Hubs Namespace which has been configured to receive activity or diagnostic logs.
    The overview opens, showing a list of all Event Hubs in the Namespace.

    For more information on creating an Event Hubs Namespace, see https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create.

  3. Click an Event Hub.

    The default name of the Activity Log Event Hub is insights-operational-logs. This will be used to populate the value of EntityPath for Event Hub Connection Strings. LogRhythm recommends that you select this Event Hub to start.

    You can view metrics such as Messages and Throughput that help determine how much log data is flowing through a particular Event Hub.

  4. Under Settings within the Event Hub menu (accessed under Entities), click SAP to access Shared Access Policies.

    If no Shared Access Policies exist, you will need to create one. Setting the permissions to Listen is sufficient.
  5. Select a policy.

  6. In the policy information on the right, copy a connection string, either primary or secondary, and paste it somewhere easily accessible.

  7. Verify that the following has been appended to the end of the connection string:

    CODE 
    EntityPath=insights-operational-logs

    This string is added as a result of the Shared Access Policy being assigned within your Event Hub entity, as specified in step 4.

    When configuring the Event Hub Beat, LogRhythm supports multiple Event Hub Connection Strings. If required, these connection strings may need their EntityPath= to be manually adjusted based on collection entity setups.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close