Azure Event Hub help

ITT-MHS · April 11, 2022, 12:13pm

1. Describe your incident:
We have a Graylog with several input, but now we want to add events from Microsoft Defender (Via Azure Event Hub) We have installed the latest Graylog and we’ve added the Azure Event Hub input. But the input we get doesn’t add the properties from the Event Hub. We only get the information in the screenshot, but nothing else in Graylog. We have contacted Microsoft and according to them, they send all the information to the Graylog but Graylog doesn’t handle it.

This is all the information Graylog gives us
Graylog-Azure

2. Describe your environment:

OS Information:
Linux 5.4.0-104-generic
Package Version:
4.3.7
Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
Tried to get an answer from the community, and have had help from Microsoft to make sure that the logs are sent from them.

4. How can the community help?
Someone who has done this and get events from Azure Event Hub?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

gsmith · April 11, 2022, 10:47pm

Hello && Welcome @ITT-MHS

I personal have not use the input " Azure Log Events" But I might be able to help troubleshoot your issue.
Can I ask why your using Azure Event Hub to get logs from Microsoft Defender?

Have you tried using a log shipper and sending those messages directly to Graylog?

Looks like the logs are arriving to the Graylog server. Can you tell use in greater detail what you mean “Graylog doesn’t handle it.”? What are you expecting to happen?

EDIT: I did find something like this

Analyze Azure network security group flow logs - Graylog | Microsoft Learn

ITT-MHS · April 12, 2022, 6:51am

Can I ask why your using Azure Event Hub to get logs from Microsoft Defender?

Since we have a customer that want to use Azure and defender as a platform, but we don’t really want to use Sentinel since we have graylog for every other customer.

Looks like the logs are arriving to the Graylog server. Can you tell use in greater detail what you mean “Graylog doesn’t handle it.”? What are you expecting to happen?

Yeah, well all the information that graylog presents to us is in the screenshot, but when we look at the logs from Microsoft, we get plenty more output (Ip, what kind of threat, if it’s handled and so forth) but none of that shows up in graylog.

I will check the link and see if that’s something we can use

patrickmann · April 12, 2022, 8:53am

Azure event hub supports a lot of different message formats and fields. Graylog parses only a small subset of common message types:
https://docs.graylog.org/docs/azure-event-hub

We understand that this is quite limiting and are looking into providing a more generic parsing ability. Stay tuned.

system · April 26, 2022, 8:53am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Azure Security Center log integration Graylog Central (peer support) sidecar , nxlog , nodatanx	8	5273	November 24, 2017
Some NXLog Messages dont seem to make it into Graylog Graylog Central (peer support)	2	658	September 5, 2018
Sending logs to Azure Sentinel Graylog Central (peer support)	4	1576	February 10, 2022
Question on greylog and events from Windows AD controller Graylog Central (peer support)	3	93	February 15, 2024
Inputs and configuration Graylog Central (peer support) nxlog	6	707	June 9, 2023

Azure Event Hub help

Related Topics