Forum Discussion

GouravIN's avatar
GouravIN
Brass Contributor
Sep 11, 2018

How to send Data from Log Analytics to Qradar (or any app)

Hi Team,

I am integrating Event Hub with Qradar with security purposes. I have created an Event Hub and streamed all the activity logs (for 10 subscription) into it. Now i want to stream Monitor and syslog and other data into event hub. 

 

Due to limitation of Event Hub i can not directly stream data into it. So my seniors proposed the below structure to send data from OMS to Event Hub. But i am not sure how i can build query for sending OMS data to Event HUB.

 

 

I have gone through the below link, using this i can read event hub data using OMS. But i want to send OMS data into Event Hub.

 

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-activity-logs-subscriptions

  • I think I found the way to do it. Please see attached screen shot. Please leave a reply if it works.

    • chrish80's avatar
      chrish80
      Copper Contributor

      Sandeep Chigullapally What are you using for the Content and Properties? I'm having a hard time determining the right values.  Some things I get a serialization issue other combo's I get a null value error. Any help would be greatly appreciated! Thanks! EDIT: I just realized this was a general use case thread and not actually one specifically to get nsg flow logs to event hub.  If someone knows if this is possible and what the magic combo is that would be awesome 

       

       

    • GouravIN's avatar
      GouravIN
      Brass Contributor
      Indeed, same method i am using but thanks for the information.
  • Hi Gourav,

     

    I am also in the same situation trying to find out how to send events from Log Analytics workspace to EH. No luck for me yet, but from my research I can conclude that Logic Apps cannot do this task because in logic apps we cannot define log analytics as a trigger it can only be set as action.

    Eg: If we say that Logic App has to trigger based on event availability/time (like every 10 min) in Log Analytics (OMS), we cannot do this in logic app because Log Analytics cannot be used as trigger point. We can only say that if something gets triggered send it to Log Analytics (action). 

     

    Thanks

    Sandeep

Resources