有关如何将现有的Azure Windows VM事件日志流式传输到Azure事件中心以消费SIEM的教程. [英] Tutorial on how to Stream existing Azure Windows VM event logs into Azure Event hub for Consumption to SIEM.
问题描述
我正在Microsoft文档中查找所有内容,以找出如何流式传输现有Azure部署的Windows VM并使其开始将日志流式传输到新创建的事件中心.特别是包含安全性,应用程序和系统的Windows事件日志 日志.我遇到了这个看起来像是可能的docs.microsoft.com/zh-CN/azure/monitoring-and-diagnostics/azure-diagnostics.它指的是使用Visio Studio等.如何修改现有的VM.我只是不确定如何开始 以及要进行哪些修改才能启用此功能.这是我对门户网站所做的事情吗?还是直接通过Powershell?我已经设置了一个事件中心,并遵循了docs.microsoft.com/zh-cn/azure/monitoring-and-diagnostics/monitoring-stream-activity-logs-event-hubs 使门户活动日志生效.然后,我将我的SIEM(Qradar)连接到eventhub并成功看到那些事件,因此我知道活动日志部分正在正常工作.这似乎是一个简单的任务,但我只是不知道在哪里 开始.我希望有一个视频能够对此进行最小化.
I am looking all over in Microsofts docs to figure out how to stream an existing Azure deployed Windows VM and have it start streaming logs to a newly created event hub. In particular the Windows Event logs containing security, application, and system logs. I ran across this docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics which looks like it is possible. It refers to using Visio Studio etc... How can I modify the existing VM. I am just not sure how to get started and what to modify to enable this. Is this something I do with the portal? Or directly through powershell? I have already setup an event hub and followed docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-stream-activity-logs-event-hubs to get the portal activity log to work. I then have my SIEM (Qradar) connect to the eventhub and see those event successfully so I know the activity log portioin is working correctly. It seems like a simple task but I just do not know where to start. I wish there was a video demostrating this.
推荐答案
Windows事件日志,则可以将其添加到"windowsEventLog"诊断部分. wadcfgf文件.默认情况下,Azure诊断程序始终将日志和指标发送到Azure存储帐户.应用程序还可以将数据发送到事件中心 通过在PublicConfig/WadCfg元素下添加一个新的Sinks部分. wadcfgx文件.在Visual Studio中. 请按照以下步骤操作
You need to capture Windows event logs, then you can add it to the "windowsEventLog" section of the diagnostics. wadcfgf file. By default, Azure Diagnostics always sends logs and metrics to an Azure Storage account. An application may also send data to Event Hubs by adding a new Sinks section under the PublicConfig / WadCfg element of the. wadcfgx file. In Visual Studio. Follow this link to connect Azure diagnostics to Event Hub sink.
------------------------------------------------- ----------------------------------------------
如果此答案有帮助,请单击标记为答案"或上投票".提供其他反馈 在您的论坛体验中,点击
If this answer was helpful, click "Mark as Answer" or "Up-Vote". To provide additional feedback on your forum experience, click here
这篇关于有关如何将现有的Azure Windows VM事件日志流式传输到Azure事件中心以消费SIEM的教程.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
