Azure Monitor provides base-level infrastructure metrics and logs for most services in Microsoft Azure. Azure services that do not yet put their data into Azure Monitor will put it there in the future.

Azure monitor allows you to forward monitoring data to eventhub.

A common scenario is to have a centralized SIEM based on syslog. The best option is for the SIEM to integrate directly with Azure monitor (Splunk, IBM QRadar, ArcSight...). If that is not available you can use an Azure Function accomplish this integration.

This project is a sample for testing purpuses.

The Azure monitor will send metrics to Event Hub. The Event Hub messages will trigger this Javascript Azure Function that will convert the message to syslog format and send to the correct server.

Note: To send the syslog messages to an internal server in a VNET, configure the Function App with VNET integration.

• Create Event Hub and setup Azure monitoring forwarding

• Create the Function App (v2). Make sure the runtime is Javascript.

• Import code or setup git deployment

• In the integrate section of the function, make sure Event Hub connection is pointing to the correct event hub

• In the Function App Application Settings, create the following App Settings:

  • SYSLOG_HOSTNAME: The source hostname in the syslog message
  • SYSLOG_SERVER: The remote syslog server
  • SYSLOG_PORT: The port syslog service is running
  • SYSLOG_PROTOCOL: TCP or UDP

  Note: Make sure the EventHub function app extension is installed. See: https://github.com/Azure/azure-functions-host/wiki/Updating-your-function-app-extensions