IBM Security QRadar

 View Only

  • 1.  Windows Logs through Azure Event hub

    Posted Wed July 26, 2023 01:37 AM
    Edited by Cyber Post Wed July 26, 2023 01:38 AM

    Hi All,

    Anyone did parse Windows logs (security/audit/system) which sent through Event Hub ?

    Any idea how we can separate the logsource from the azure event hub protocol?

    Thanks



  • 2.  RE: Windows Logs through Azure Event hub

    IBM Champion
    Posted Tue August 01, 2023 01:46 PM

    I've not tried this myself, but in theory you can do this. You could create a gateway log source for the event hub, and probably have a dedicated event hub for this purpose (windows events), and then for everything that comes from the event hub, you'd set their log source identifier to whatever your RegEx matches in the gateway log source configuration. This can help avoid the need to do parse ordering where events may be parsed under the wrong DSM in some instances.



    ------------------------------
    Jared Fagel
    Cyber Security Analyst
    ALLETE Inc.
    ------------------------------

    Original Message


  • 3.  RE: Windows Logs through Azure Event hub

    Posted Thu August 03, 2023 12:03 AM

    @Jared Fagel  I was looking for a pattern(regex) of how this can be achieved.

    Can you help?


    Original Message