2
responses

Hi all,

I am new here, so hello.

I am trying to work out a solution to collect IIS Access Log data from Azure App Services and then forward to a SIEM such as Splunk, Loggly or ElasticSearch for Security analysis, Anomoly identification and alerting.

As far I can see NXLog may provide the link between the Azure Access Logs and my chosen SIEM. Am I right? I would prefer to not get into rewriting of code, hence my interest in NXLog. In addition it appears that NXL:og seems to be widely supported by SIEM tools.

With regards to implementation, would I be correct in thinking that one needs to setup a Linux or WIndows VM on Azure with NXLog running on it. I am trying to avoid onprem installs.

In conclusion, I would welcome your advice on how I could use NXLog as a simple collector and forwarder of Access data. One final word, the Access Logs are currently stored in Azure Storage Blobs, although I could go back to storing them in the File System.

Thanks.

AskedSeptember 30, 2018 - 12:17am

Answers (2)

Hello EdB,

We're glad to see you're interested in using NXLog. NXLog could provide a link between your access logs stored in Azure and your chosen SIEM solution. You would be correct in your thinking that you'd need a place to run NXLog, whether that be a Unix/Linux/Windows/Docker host.

You would need a method of shipping logs into NXLog, this would be something that you could configure Azure OMS to do. Please refer to our documentation for details: https://nxlog.co/documentation/nxlog-user-guide#azure-oms_input

In addition to what Cam wrote, you might want to take a look at the im_azure input module available in the NXLog Enterprise Edition that should be able to fetch data from Azure Blob Storage.