Add Microsoft Azure Event Hubs

Log in to ESM and add the data source to a receiver.

Before you begin

Make sure port 5671 is open bidirectionally between the Receiver and the Azure Event Hub connector.

Determine the number of partitions you need.

In Policy Editor, enable all parsing rules for the Azure Event Hub data source.

Task

  1. Select a receiver.
  2. Click the Properties icon.
  3. From the Receiver Properties window, select Data Sources.
  4. Click Add.
    Option Definition
    Data Source Vendor Microsoft
    Data Source Model Azure Event Hubs
    Data Format Default
    Data Retrieval API
    Enabled

    Select options for processing events. Some options may not be available for your data source.

    • Parsing - if you want to parse events. Enabling parsing is recommended.
    • Logging - if you want to log events on a McAfee Enterprise Log Manager.
    • SNMP Trap - if your environment requires it (this is rare).

    Name Name of data source
    IP Address
    Important: Clear the IP Address field before using the Look up feature.
    Automatically populated when you enter the Hostname and click Look up.
    Hostname The host name is part of the Event Hub connection string. Copy it from the Azure portal. For example, if the connection string was Endpoint=sb://test.windows.net/;SharedAccessKeyName=test;SharedAccessKey=1111/111=;EntityPath=test, the host name would be test.windows.net.
    Event Hub Connection String The connection string provided on the Azure portal when you set up the Event Hub.
    Eventhub name Created when you set up the Event Hub. Paste it from the Azure portal.
    Note: This is not the Event Hub Namespace name. Find the Event Hub name on the Azure Portal by clicking Event Hubs under the Entities heading.
    Consumer Group Use $Default. If you want to collect the same data multiple times, add more groups (comma delimited).
    Partition Start/End

    The number of partitions is set when you create an Event Hub and can't be changed. Event Hub's default is to define 4 partitions. The maximum number of partitions is 32, but when referencing partitions it is done starting at 0.

    If the Event Hub has 4 partitions defined, the correct data source configuration would be: Partition Start: 0 and Partition End: 3.

    You can use partitions to set up multiple data sources for a single Event Hub cluster. For example, if you have 32 partitions in the cluster, you can set up a data source to collect from partitions 0–15 and another data source to collect from partitions 16–31.

    Client Key Not used
    Client Secret Key Not used
    Use proxy Proxy, if required by installation
    Support Generic Syslogs Do nothing
    Time Zone Time zone of the data being sent
  5. (Optional) Click Advanced and configure the settings.
    Option Definition
    Device URL Type the URL address that can be accessed to view event data for this data source (maximum of 512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of the Event Analysis view.
    Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF) forwards events.
    Date Order

    Select the format for the dates on data sources:

    • Default — Uses the default date order (month before day). When using client data sources, clients using this setting inherit the date order of the parent data source.
    • Month before day — The month goes before the day (04/23/2018).
    • Day before month — The day goes before the month (23/04/2018).
    Zone To assign this data source to a zone, select the zone from the list.
    External data source link

    Automatically selected when you import events from another Receiver. You can deselect the checkbox which would remove the distinction of imported data.

    For example, you export logs from Receiver 1 into Receiver 2. The External data source link is applied to the logs being sent so that when logs are imported, the ESM can differentiate the forwarded events.

    Export in NitoFile format Use this option when you are exporting raw data source data.
    Data is NitroFile format Use this option when you are exporting raw data source data.
    Note: When you export data sources to a remote file, they are exported in NitroFile format. If you import those files to another Receiver automatically, Data is NitroFile is selected for each of the data sources you are importing. This indicates that the file is in NitroFile format. If you import them manually, you must select this box for each data source.
    Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the data source has a checksum file.
    Note: When imported automatically, Validate SHA1 checksum is selected for any data source that has a checksum file. If you import them manually, you must select it. The only exception is when you are importing a data source file that doesn't have a checksum file, but you want to view it anyway.