This article covers how to send Azure AD LDAP logs to a syslog server.
To send Azure AD LDAP logs to a syslog server, you can use Azure Monitor to forward the logs to an Event Hub, and then use a third-party tool such as syslog-ng to collect the logs from the Event Hub and send them to the syslog server. Follow these steps:
- In the Azure portal, navigate to Azure Active Directory.
- Click Diagnostic settings under the Monitoring section.
- Click + Add diagnostic setting to create a new diagnostic setting.
- Enter a name for the new diagnostic setting.
- Under Destination details, select Send to Event Hub as the destination.
- Click Configure to create a new Event Hub namespace and Event Hub.
- Enter a name for the Event Hub namespace and Event Hub and select the Azure region where you want to create them.
- Click Create to create the new Event Hub namespace and Event Hub.
- Under Categories, select AuditLogs and DirectoryServiceAccess to enable LDAP logs.
- Under Advanced, select LDAP as the protocol.
- Click Save to create the diagnostic setting.
- Install syslog-ng on a server that can access the Event Hub.
- Configure syslog-ng to consume logs from the Azure Event Hub by editing the syslog-ng configuration file, located at /etc/syslog-ng/syslog-ng.conf.
- Add the following configuration to the file:
source azure-eventhub {
eventhub()
"ConsumerGroup"("log-consumer-group")
"ConnectionString"("Endpoint=sb://your-event-hub-namespace.servicebus.windows.net/;
SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=your-shared-access-key")
"Partition"("
"StartingPosition"("EnqueuedTime")
"BatchSize"(1)
"BatchFlushTimeout"(1000)
"BatchMaxSize"(32768)
"BatchMaxWait"(5000);
};
destination syslog-server {
syslog("<Forwarder IP>" transport("udp") port(11717));
};
log {
source(azure-eventhub);
destination(syslog-server);
};
Note: - Replace "log-consumer-group" with the name of the Azure Event Hub consumer group you created, "your-event-hub-namespace" with the name of your Event Hub namespace, and "your-shared-access-key" with the shared access key for the Event Hub. Replace "your-syslog-server" with the Forwarder IP address of the syslog server you want to send the logs to.
15. Save the syslog-ng configuration file and restart the syslog-ng service for the changes to take effect.
Comments
0 comments
Please sign in to leave a comment.