I’m about to set this up too. From the looks of it you’re meant to set up a
Windows server ($$), install some agent on it and that will download the
JSON Azure logs into a directory structure? Then you’re trying to use NXLOG
to parse those files and upload the data to graylog?
That sounds exactly what I am planning to do - did you get anywhere? Are
you saying the JSON format wasn’t supported by NXLOG?
Yes, it works that way. I got JSON files on the log integration server, read with NXLog and at first it seemed to work, but then I started to get just segments of events, not full events. Writing to the JSON files and reading with NXlog did not work properly. I was just wondering, if someone has figured out the correct way to do it.
Our Ops team just installed the Azure audit agent and handed off to my
team. I think I am now where you are and have the same problem
I think the issue is due to Azure JSON data being multi-array? ie {
“field”: { subfield1": “value”, “subfield2”:“value2”}}
That isn’t support by graylog, so I guess it’s been dropped? I can’t see
any errors in graylog-server.log - shouldn’t such a drop be reported
somewhere?
I think we have stumbled on the same thing. I tried importing with nxlog,
but it seems nxlog is not supporting it either, or then I just configured
it the wrong way.