IBM Support

QRadar: Using Microsoft Azure Event Hub as a Gateway

Troubleshooting


Problem

The Microsoft Azure Event Hub Log Source shows as "Success", but there are no Events Received by this Log Source and the Last Event Received shows "N/A."

Resolving The Problem

What is the "Use as a Gateway" option for the Microsoft Azure Event Hub Log Source?

Use as a Gateway means the log source identifies and sends the events to its appropriate device. The Microsoft Azure Log Source being used as a gateway does not process the events themselves. Instead, it is processed by the Dummy log source that gets created. The MS Azure Log Source being used as a gateway would show success, but no new events were received.

The Use as a Gateway must be selected if the Azure Event Hub is configured to send events that are not Azure specific (which excludes Linux Azure events).

What happens when the Microsoft Azure Event Hub Log Source is used as a gateway?

The Use as a Gateway option specifies whether to use Traffic Analysis or the selected log source type (DSM). When Use as a Gateway is not selected, the Azure Log Source tries to parse all the incoming events as the specified DSM.

  • This can be used when the event hub contains only one event type.
  • This option allows the protocol to act like a standard protocol and funnel things through only the specified DSM.


When Use as a Gateway is selected, the protocol attempts to match the incoming events to an existing DSM as best as possible. To parse various log source types, QRadar creates Dummy Log Sources to parse the events. QRadar can specify only a single log source type per log source. The protocol identifies the type of incoming events and creates a log source for each identifier found. The protocol can currently identify the following types:

Azure Linux Events and Azure Events, and Syslog.

  • When an Azure Event is detected, it parses the event and creates a Dummy Log source for each subscriber ID. The identifier for these log sources is the subscriber ID. 
  • Azure Linux Events are converted to syslog and treated like any other Linux event detected by Traffic Analysis.
  • Syslog events are parsed as is, and if the event is a format Traffic Analysis understands, a Dummy Log Source is created.
  • Traffic Analysis is QRadar's Log source detection engine that allows log source types to be identified and configured automatically.

     

How to collect Windows events by using Microsoft® Azure Event Hub

Create a new log source in the Log Source Management app (LSM)

 
Step 1: Select log source type Universal DSM.
 
Step 2: Select protocol type Microsoft Azure Event Hubs.
 
Step 3: Complete the Name and Description fields and select Target Event Collector.
 
Step 4:
  • Log Source Identifier (LSI) for this log source cannot include spaces and must be unique among all log sources of this type.
  • Complete the necessary authentication information - either a connection string (preferred method), namespace Name, Event Hub Name, SAS Key Name and SAS Key (deprecated method).
  • Complete your consumer group.
  • If you need to use a Storage Account, enable this option and complete your Storage Account Connection String.
  • Enable Use As A Gateway Log Source
  • Define the LSI pattern as.
$1=COMPUTERNAME=\"(.*?)\" 
The values of "computername" are the Log Source Identifiers for the auto-detected log sources.
 
Step 5: Run a Test (recommended) or click skip and Finish.
 
Step 6: Deploy the log source you created.
 
Now you can bulk add Windows log sources with log source type Syslog on Azure and enable the gateway log source if you hadn't already.
Monitor Log Activity displays the Windows log sources getting auto-detected and parsed.

Identifying the New Log Sources:

The events are sent in through average traffic analysis that uses the Log Source as a gateway. The Host IP can search for Events for Syslog to show the new Log Source. The new Log Sources for Azure events can be found by searching the Log Activity or Log Sources for the Azure Event Hub Subscriber ID.

The new Log Source Name appears as Microsoft Azure @ [Subscriber ID]; LinuxServer @ [Subscriber ID]

    Examples:

  • Microsoft Azure @ 601BF113-FBA7-4EEC-817C-123A4B123456
  • LinuxServer @ 601bf113-fba7-4eec-817c-123a4b123456
     

Results: Your Log Source is configured as a gateway Log Source.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 March 2023

UID

ibm16958719

Page Feedback