I've not tried this myself, but in theory you can do this. You could create a gateway log source for the event hub, and probably have a dedicated event hub for this purpose (windows events), and then for everything that comes from the event hub, you'd set their log source identifier to whatever your RegEx matches in the gateway log source configuration. This can help avoid the need to do parse ordering where events may be parsed under the wrong DSM in some instances.
------------------------------
Jared Fagel
Cyber Security Analyst
ALLETE Inc.
------------------------------
Original Message:
Sent: Wed July 26, 2023 01:37 AM
From: Cyber Post
Subject: Windows Logs through Azure Event hub
Hi All,
Anyone did parse Windows logs (security/audit/system) which sent through Event Hub ?
Any idea how we can separate the logsource from the azure event hub protocol?
Thanks