In a previous blog, Getting Started with Elastic Cloud on Microsoft Azure<\/a>, we showed you how easy it is to get up and running with Elastic Cloud on Azure, taking full advantage of integrated billing. Check it out if you have not already spun up your deployment in anticipation of this blog. Signing up for the Elastic Cloud (Elasticsearch managed service)<\/a> through the Azure Marketplace takes a short time and offers great flexibility, so try it out today.<\/p>\n\n\n\n The intent here is to show you how easy it is to get Azure activity logs into Elasticsearch with Filebeat and visualize the aggregated data with Kibana<\/a>. Kibana provides powerful out-of-the-box visualizations and dashboards to search and analyze your data, reducing the amount of time and effort to get started.<\/p>\n\n\n\n With the Elasticsearch managed service on Azure you can:<\/p>\n\n\n\n Analyze them all under one Elastic Observability<\/a> solution!<\/p>\n\n\n\n <\/p>\n\n\n\n Kibana, the visualization and administrative interface for the Elastic Stack, you’ll find instructions for the installation of Filebeat<\/a>, which we’ll use to ingest the Azure activity, sign-in, and\/or audit logs mentioned earlier.<\/p>\n\n\n\n Starting with deployment version 7.10*, from the Kibana Home page click Install Filebeat<\/strong>.<\/p>\n\n\n\n *If you have not yet upgraded your deployment to 7.10, take the time to visit our Upgrade versions<\/a> documentation. The upgrades are designed to be automated while helping mitigate unplanned downtime.<\/p>\n\n\n\n To begin with, click the navigation menu and then Home<\/strong>.<\/p>\n\n\n\n <\/p>\n\n\n\n Click Add data<\/strong>.<\/p>\n\n\n\n <\/p>\n\n\n\n This has taken us to the Add data<\/strong> menu, where we will choose Azure logs<\/strong>.<\/p>\n\n\n\n <\/p>\n\n\n\n Follow the steps to install Filebeat on your system. You can click the View exported fields<\/a> and Learn more<\/a> links to reference additional Filebeat information.<\/p>\n\n\n\n You can leave this page open for when you’ve completed the following configurations, as we will come back to it.<\/p>\n\n\n\n Once Filebeat for your particular system has been downloaded and installed, you will need to modify the On a Linux system, this is typically found under The great thing about running through this process from Kibana, is that it will show you how to add the necessary entries to that file in order to communicate with your Elastic Cloud deployment – two variables For those who have Elastic Stack running self-managed in their own Azure account, please refer to the Connect to Elastic Stack<\/a> Filebeat Quick start guide.<\/p>\n\n\n\n Tip<\/strong>: Not sure where to get these values? Refer to our documentation<\/a> for more details.<\/p>\n\n\n\n This solution requires the use of Azure Event Hub<\/strong> for the activity, sign-in, and\/or audit logs, as well as access to a storage blob<\/strong>. If you do not have such an event hub set up, please refer to the Create an Azure event hub quick start<\/a> documentation for details. You will then need to refer to the instructions on sending activity logs<\/a> to the event hub.<\/p>\n\n\n\n When creating an event hub, you can add it to an existing namespace if you already have one, or you can create an entirely new one, as we will demonstrate here.<\/p>\n\n\n\n From your Azure portal Event Hubs<\/a>, click Add<\/strong>.<\/p>\n\n\n\n You must select a resource group, and then name it: for example, elastic-eventhub<\/strong>.<\/p>\n\n\n\n Choose the location and pricing tier and then proceed, adding optional tags if desired, then click Create<\/strong>.<\/p>\n\n\n\n Click Shared access policies<\/strong>.<\/p>\n\n\n\n <\/p>\n\n\n\n Click the default policy that appears, named RootManageSharedAccessKey<\/strong> and then click to copy the connection string. Paste that somewhere safe, as it will be used to configure the Filebeat Azure module configuration file, <\/p>\n\n\n\n Navigate to Activity Logs<\/strong> and then click Diagnostics settings<\/strong>.<\/p>\n\n\n\n <\/p>\n\n\n\n Click Add diagnostic setting<\/strong> and name it elastic-diag<\/strong>.<\/p>\n\n\n\n Select the logs of your choice, and then be sure to also select Stream to an event hub<\/strong>.<\/p>\n\n\n\n Choose the elastic-eventhub<\/strong> namespace, select the (Create in selected namespace)<\/strong> option for the event hub name, then select the RootManageShareAccessKey<\/strong> policy.<\/p>\n\n\n\n An event hub named insights-activity-logs<\/strong> will be created for you, appearing under the elastic-eventhub<\/strong> namespace, for which we will use in the <\/p>\n\n\n\n Click Save,<\/strong> then optionally navigate back to elastic-eventhub<\/strong> and to see the event metrics coming in.<\/p>\n\n\n\n <\/p>\n\n\n\n Simply run one command which enables the Azure module. This is depicted from the page within Kibana, where we started, as step three.<\/p>\n\n\n\n This will ensure that the The command to enabled the module on Linux is:<\/p>\n\n\n\n To list all modules, displaying the enabled ones at the top, run:<\/p>\n\n\n\n To disable the module, simply run:<\/p>\n\n\n\n You have to configure the Only the activitylogs <\/strong>is enabled by default within the Azure module, expressed by In order to configure the auditlogs<\/strong> and signinlogs<\/strong>, you must be a global administrator or security administrator of your Azure account. You can refer to the instruction on how to export audit and sign-in logs<\/a> to the event hub for more details. You can then enable them by changing the Important<\/strong>: If you do not have sufficient permissions to configure the audit and sign-in logs, then those modules in the Time to add the information to Pro Tip<\/strong>: The storage account name and key needed can be found from the Storage account<\/strong> you want to utilize. Click Access keys<\/strong>. You can also refer to the Microsoft Azure Manage storage account access keys<\/a> for help.<\/p>\n\n\n\n Your configuration file, assuming you are only configuring the activity logs, would be similar to the following.<\/p>\n\n\n\n <\/p>\n\n\n\n For more information on this configuration, please refer to the module configuration<\/a> documentation. The storage account\/key <\/strong>is necessary in order to maintain the sequence of logs should the Filebeat service stop.<\/p>\n\n\n\n Pro tip<\/strong>: The eventhub is the instance name<\/strong>, rather than the Event Hub Namespace. Event Hub namespaces are the grouping container for multiple event hubs, and you are billed at the namespace level. Refer to the Event Hubs FAQ<\/a> on Microsoft\u2019s docs site for more details on this.<\/p>\n\n\n\n Now that Filebeat, an Back on the Kibana page where we started downloading and configuring Filebeat, step four outlines the following commands which are needed at this point.<\/p>\n\n\n\n Because we used RPM to install Filebeat as a service, it must also be used to run it as a service. Depending on the type of system you are using, it could be slightly different. Please refer to the Filebeat and systemd<\/a> for more details on running Filebeat as a service for DEB and RPM packages, or refer to the Filebeat quick start<\/a> if running on a different platform.<\/p>\n\n\n\n First we need to run the Run the setup:<\/p>\n\n\n\n You can also run the setup command with a -e for which will send logging data to the display, rather than to the syslog, useful to see what steps are being taken.<\/p>\n\n\n\n Then, start the service:<\/p>\n\n\n\n To check the status:<\/p>\n\n\n\n To stop Filebeat:<\/p>\n\n\n\n To check and validate, with a running dialog, the service is running healthy:<\/p>\n\n\n\n Now that we have the activity logs being collected by the event hub, and, in turn, being sent to Elasticsearch by Filebeat, we can visualize them in Kibana.<\/p>\n\n\n\n <\/p>\n\n\n\n Assuming you still have the page open where we initiated the Filebeat configuration, you should be able to Check data<\/strong> and then finally click Azure logs dashboard<\/strong>, which will take you right to the dashboard<\/p>\n\n\n\n We hope you found this to be a helpful resource for getting started with Filebeat, ingesting Azure activity logs with the use of an event hub.<\/p>\n\n\n\n The next step is to collect your Azure compute, container, database storage, billing, and application insight metrics using the Metricbeat Azure module<\/a>.<\/p>\n\n\n\n Have questions or want to contribute to a beneficial discussion? Be sure to check out the Elastic Observability discussion group<\/a>. There are also a number of getting started videos and training resources you can take advantage of by visiting elastic.co\/learn<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Overview The ability to access the internal state of your application ecosystem is critical to optimizing your applications and the experience of your users.<\/p>\n","protected":false},"author":5562,"featured_media":95465,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[2271,1715],"content-type":[340],"topic":[2241],"programming-languages":[],"coauthors":[1718],"class_list":["post-84314","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-community-partners","tag-elastic","content-type-tutorials-and-demos","topic-cloud","review-flag-1593580428-734","review-flag-7-1593580463-151","review-flag-and-o-1593580423-446","review-flag-disab-1706240524-342","review-flag-disab-1706240532-905","review-flag-machi-1680214156-53","review-flag-micro-1680215167-604","review-flag-new-1593580248-669"],"yoast_head":"\n\n
![\"Elastic](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/1_Architecture-5ff39bd741bc3.png\")
<\/figure>\n\n\n\nIngesting logs<\/h2>\n\n\n\n
Download and install Filebeat<\/h2>\n\n\n\n
![\"Snapshot](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/2_Home-5ff39be04df8b.png\")
<\/figure>\n\n\n\n![\"Snapshot](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/3_Add-data-5ff39be826922.png\")
<\/figure>\n\n\n\n![\"graphical](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/4_Azure-logs-5ff39bf1a8f9a.png\")
<\/figure>\n\n\n\nConfigure Filebeat<\/h2>\n\n\n\n
filebeat.yml<\/code> file.<\/p>\n\n\n\n\/etc\/filebeat<\/code>.<\/p>\n\n\n\ncloud.id<\/code> and cloud.auth<\/code> that you must modify.<\/p>\n\n\n\nCreate an Event Hub<\/h2>\n\n\n\n
![\"Shared](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/5_shared-access-policy.png\")
<\/figure>\n\n\n\nazure.yml<\/code>.<\/p>\n\n\n\n![\"SAS](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/6_SAS-policy.png\")
<\/figure>\n\n\n\n![\"Activity](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/7_Activity-log.png\")
<\/figure>\n\n\n\nazure.yml<\/code> configuration file.<\/p>\n\n\n\n![\"Destination](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/8_Destination-details.png\")
<\/figure>\n\n\n\n![\"Eventhub](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/9_eventhub-metrics.png\")
<\/figure>\n\n\n\nEnable and configure the Azure module<\/h2>\n\n\n\n
azure.yml<\/code> configuration file becomes active, in order to communicate with your Azure subscription.<\/p>\n\n\n\nsudo filebeat modules enable<\/strong> azure<\/code><\/p>\n\n\n\nsudo filebeat modules list<\/strong><\/code><\/p>\n\n\n\nsudo filebeat modules disable<\/strong> azure<\/code><\/p>\n\n\n\nazure.yml<\/code> file after enabling it. On Linux this is typically found under the \/etc\/filebeat\/modules.d<\/code> directory. If a module is not enabled, there will be a .disabled<\/code> extension in that directory as well.<\/p>\n\n\n\nenabled: true<\/code>.<\/p>\n\n\n\nenabled: false<\/code> to true<\/code>.<\/p>\n\n\n\nazure.yml<\/code> file must remain disabled.<\/p>\n\n\n\nazure.yml configuration file. All you need to add is the eventhub<\/code> and connection_string<\/code> entry details saved earlier, and then the storage account details.<\/code><\/code><\/p>\n\n\n\n![\"configuration](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/configuration-file.png\")
<\/figure>\n\n\n\nSetting up and starting Filebeat<\/h2>\n\n\n\n
event hub, and storage account have been configured it is time to kick things off by running setup and starting Filebeat.<\/code><\/code><\/p>\n\n\n\nsetup<\/code> step, which will load such things as predefined assets, indexes, and visualizations which are used by the predefined Azure Cloud dashboards. The setup<\/code> command takes advantage of all the out-of-the-box integrations Elastic has with Azure, alleviating the need to develop your own, however, everything is fully customizable and there are many community developed integrations.<\/p>\n\n\n\nsudo filebeat setup<\/code><\/p>\n\n\n\nsudo filebeat setup -e<\/code><\/p>\n\n\n\nsudo service filebeat start<\/code><\/p>\n\n\n\nsudo service filebeat status<\/code><\/p>\n\n\n\nsudo service filebeat stop<\/code><\/p>\n\n\n\nsudo journalctl -u filebeat -f<\/code><\/p>\n\n\n\nVisualizing in Kibana<\/h2>\n\n\n\n
![\"module](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2021\/01\/10_Module-status.png\")
<\/figure>\n\n\n\nConclusion<\/h2>\n\n\n\n