vRealize Log Insight Cloud is a very powerful tool that is using machine learning to group similar events together and give a true visibility from on-premises and Cloud SDDC deployment as well as all the native public clouds.
Forwarding Logs from vRealize Log Insight Cloud to a different repository (on-premises log analytics tools/SIEM) is a common question from customers.
In this blog post, I am going to show you how to forward logs to a Microsoft Azure Sentinel instance in the Coud.
Prerequisites
In order to send any type of logs to Azure Sentinel from vRLIC, a few prerequisites need to be met.
- A subscription to Microsoft Azure
- An Azure Log Analytics workspace in the Azure portal
- Enabling Microsoft Sentinel if it is not already activated
Creating an Azure Log Analytics workspace for Sentinel
The creation can be done directly or if you don’t have one you will have to create one during the Sentinel service activation.
To create the Log Analytics workspace, I have Click on the link from my Microsoft Azure portal:
I then have clicked Create:
I have entered the details of my Azure Subscription, my default Azure Resource Group, and the Region West US.
I have clicked Create and after a couple of seconds, the deployment was completed.
I know have access to my Workspace and will have to retrieve the Workspace ID and the Primary or Secondary Key needed by Log Insight to link to the Sentinel instance.
Enabling Microsoft Sentinel
I came back to my Azure Portal and very easily could click in the Microsoft Sentinel button to create my instance.
I clicked create and immediately it asked me to add Microsoft Sentinel to my workspace:
Configuring Log Forwarding in Log Insight
Here are the procedure to follow to configure the Microsoft Sentinel Log Forwarding Endpoint via the VRLIC UI.
Collect the Worskpace ID and Primary Key
The first step in preparing to configure Log Forwarding is to retrieve the Workspace ID and either the Primary key or the Secondary key from the Log Analytics workspace.
These keys can be found by navigating in the Azure portal to Log Analytics workspace > Settings > Agents management.
Add the Sentinel endpoint in Log insight Cloud
Under the Log Management menu option on the lefthand side, select Log Forwarding.
Create a new forwarding configuration by selecting New Configuration.
Name the configuration accordingly and select Cloud under Destination.
Under Endpoint Type, select Azure Sentinel.
Fill in Endpoint URL, WorkspaceID, and SharedKey.
- Endpoint URL: Grab the WorkspaceID and fill it in the following URL below
- https://<WorkspaceID>.ods.opinsights.azure.com/api/logs?api-version=2016-04-01
- If your workspaceID “abcd-1234”, then your URL will look like https://abcd-1234.ods.opinsights.azure.com/api/logs?api-version=2016-04-01
- WorkspaceID: This is an ID that helps determine which instance of Sentinel logs should be forwarded to. Access this value on your instance of Sentinel, selecting Agents management.
- SharedKey: This is a key that is used to generate the necessary authorization to forward logs. Access this value on your instance of Sentinel, selecting Agents management, under Primary Key.
Populate the headers “content-type” and “Log-Type”. “content-type” should be “application/json”. “Log-Type” will be the name of custom logs that Azure Sentinel will associate the logs forwarded with (only letters, numbers, and underscores “_” are permitted in this field according to Microsoft).
Filtering the Logs you want to forward
You can choose to filter the logs via its contents because you don’t want to forward all the logs to your Sentinel instance or you can decide that all logs to be forwarded.
You can, for instance, filter on a particular SDDC ID or on the type of log with the log_type field and choose only the nsxt logs.
Validate the connectivity
Before verifying the connection, you have to add a label to your logs by adding a value to the Log-Type field.
Select Verify to make sure the form was filled correctly. This will also send a test log to the user’s Sentinel Workspace to verify the connection can be made.
The button turns green and in the VERIFIED mode,
Select Save when verification is complete to save and enabled the configuration to start sending logs.
Verifying Logs are sent to Sentinel
In order to verify that the logs are sent I have had to switch back to the Azure Portal in the Sentinel workspace.
After logging in to Microsoft Azure, navigate to Microsoft Sentinel and select the Workspace that will receive the forwarded nsxt security events.
Under the General heading immediately below Overview click Logs, which will open up the Azure Queries modal. Close this modal.
Under the Tables tab, expand the Custom Logs heading to reveal the list of table names which should correspond to the value assigned during the Log Forwarding setup. For me it is nsxt, and the table is showed as nsxt_CL.
In order to verify the logs that are sent correctly over the connection, I have created and executed the following query:
union nsxt_CL
| where TimeGenerated >= datetime(2022-06-07T07:58:53.794Z) and TimeGenerated < datetime(2022-06-17T12:15:00.794Z) + 1h
Following logs were displayed:
It shows a compute gateway firewall rule match as stated in the logs text details:
That concludes my blog post for today, hope this will help you in forwarding log to a Microsoft Sentinel from vRealize Log insight Cloud .