Forum Discussion

deniskutin's avatar
deniskutin
Copper Contributor
Jul 01, 2020
Solved

Ingesting logs from Event Hub

Hey guys,   I wanted to give a try to Sentinel. But there is one thing I'd like to clarify before.    Our current ingestion pipeline: we are receiving logs into Event Hubs (EH), read them by Logs...
analytics
data collection
CliveWatson's avatar
CliveWatson
Former Employee
Jul 01, 2020

deniskutin 

 

It depends on the data sources you want to send to Log Analytics & Azure Sentinel, IaaS (Azure or hybrid) devices will need an agent, either the Microsoft Management Agent(MMA) or Logstash - you decide which you prefer.  You can log forward with Linux / Logstash as well.   
Data that you send to an EventHub today, if that comes from Azure, you are typically sending from the Diagnostics settings of your resource (SQL DB etc...), and each resource diagnostic blade normally has alternative options to send to Storage or Log Analytics - so you just need to re-map those resources.  

Example from the Public IP resource, you can check Log Analytics instead as well as Event Hub, or just the one you need.

 

deniskutin's avatar
deniskutin
Copper Contributor
Jul 02, 2020

Hey CliveWatson 

 

Thank you for your answer. 

Sorry about that: didn't cover this point in my question.

 

We have a big deal of agents we are gathering logs from. Ex., clients' endpoints (Win, Linux, Mac), network devices (via syslog), Azure Insights, 3-rd party tools integrations (reading files), info from SPAN (raw network data). All of them come into EH. Than the pipeline I mentioned before happens.

 

Not all these log source are possible to send directly to LA, unfortunately. And it would be a big task to re-engineer agent's infrastructure we are using now. 

 

So, yeah, my question more about Azure EH and LA integration (not directly Sentinel related): is it possible to route (copy) data from EH to LA to use in Sentinel afterward? But was hoping someone in the community faced this task.

Resources