Syslog - Microsoft Azure Log Integration

Microsoft Azure is an open, flexible, enterprise-grade cloud computing platform. Move faster, do more, and save money with IaaS + PaaS.

The Azure Log integration feature was deprecated on 15 June 2019. AzLog downloads were disabled on 27 June 2018.

Device Details

Vendor	Microsoft
Device Type	Cloud (System and Application)
Supported Model Name/Number	Azure Log Integration
Supported Software Version(s)	1.0
Collection Method	Syslog
Configurable Log Output?	Yes
Log Source Type	Syslog - Microsoft Azure Log Integration
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	https://docs.microsoft.com/en-us/azure/security/security-azure-log-integration-get-started The Event logs are available in ‘JSON’, Syslog (LEEF) and MS Event Log formats. The LEEF format is the configuration used by this policy.

Prerequisites

An Azure subscription
A storage account for Windows Azure Diagnostics (WAD) logging
A machine that runs the Azure Log Integration service & a machine that would be monitored

Device Configuration Checklist

Installed Azure Log Integration from the installer
Post-installation and validation steps
Integrate Windows VM Logs
Integrate Azure activity logs

Currently Supported Log Types

Type	Product Version	Supported Schema Fields
Administrative	1.0	Description, level, resourceGroupName, status
Service health	1.0	eventName, level, resourceType, status
Alert	1.0	Description, level, resourceGroupName, resourceId, status
Security	1.0	Description, level, resourceGroupName, resourceType, resourceId, status

Parsed Metadata Fields

Product Field Name	LogRhythm Metadata Field	Value/Data Type
cat	vmid	Vendor Message ID
resourceGroupName	group	Group
resourceId	object	Object
resourceType	objecttype	Object Type
resourceType	objecttype	Object Type
sev	severity	Severity
src	sip	Source IP Address
status	status/result	Status/Result
usrName	login	Login