Forum Discussion
Solved
Ingesting logs from Event Hub
Hey guys, I wanted to give a try to Sentinel. But there is one thing I'd like to clarify before. Our current ingestion pipeline: we are receiving logs into Event Hubs (EH), read them by Logs...
You might get another response from the Log Analytics members, but I'd start by looking at a Logic App https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azure-event-hubs or maybe an Azure Function https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-event-hubs-trigger?tabs=csharp to do this
Hey CliveWatson
Thank you for your answer.
Sorry about that: didn't cover this point in my question.
We have a big deal of agents we are gathering logs from. Ex., clients' endpoints (Win, Linux, Mac), network devices (via syslog), Azure Insights, 3-rd party tools integrations (reading files), info from SPAN (raw network data). All of them come into EH. Than the pipeline I mentioned before happens.
Not all these log source are possible to send directly to LA, unfortunately. And it would be a big task to re-engineer agent's infrastructure we are using now.
So, yeah, my question more about Azure EH and LA integration (not directly Sentinel related): is it possible to route (copy) data from EH to LA to use in Sentinel afterward? But was hoping someone in the community faced this task.
CliveWatson
Microsoft
Microsoft
You might get another response from the Log Analytics members, but I'd start by looking at a Logic App https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azure-event-hubs or maybe an Azure Function https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-event-hubs-trigger?tabs=csharp to do this