Add Microsoft Azure Event Hubs

Log in to ESM and add the data source to a receiver.

Before you begin

Make sure port 5671 is open.

Task

  1. Select a receiver.
  2. Click the Properties icon.
  3. From the Receiver Properties window, select Data Sources.
  4. Click Add.
    Option Definition
    Data Source Vendor Microsoft
    Data Source Model Azure Event Hubs
    Data Format Default
    Data Retrieval API
    Enabled

    Select options for processing events. Some options may not be available for your data source.

    • Parsing - if you want to parse events. Enabling parsing is recommended.
    • Logging - if you want to log events on a McAfee Enterprise Log Manager.
    • SNMP Trap - if your environment requires it (this is rare).

    Name Name of data source
    IP Address Automatically populated when you enter the Hostname and click Look up.
    Hostname The host name is part of the Event Hubs connection string. Paste it from the Azure portal.
    Event Hub Connection String The connection string provided on the Azure portal when you set up the Event Hubs.
    Eventhub name Created when you set up Event Hubs. Paste it from the Azure portal.
    Consumer Group Use $Default. If you want to collect the same data multiple times, add more groups (comma delimited).
    Partition Start/End Use partitions to set up multiple data sources for a single Event Hubs cluster. For example, if you have 32 partitions in the cluster, you can set up a data source to collect from partitions 0–15 and another data source to collect from partitions 16–31. The number of partitions is set when you create the Event Hubs and can't be changed. The maximum number of partitions is 32.
    Client Key Not used
    Client Secret Key Not used
    Use proxy Proxy, if required by installation
    Support Generic Syslogs Do nothing
    Time Zone Time zone of the data being sent
  5. (Optional) Click Advanced and configure the settings.
    Option Definition
    Device URL Type the URL address that can be accessed to view event data for this data source (maximum of 512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of the Event Analysis view.
    Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF) forwards events.
    Date Order

    Select the format for the dates on data sources:

    • Default — Uses the default date order (month before day). When using client data sources, clients using this setting inherit the date order of the parent data source.
    • Month before day — The month goes before the day (04/23/2018).
    • Day before month — The day goes before the month (23/04/2018).
    Zone To assign this data source to a zone, select the zone from the list.
    External data source link

    Automatically selected when you import events from another receiver. You can deselect the checkbox which would remove the distinction of imported data.

    For example, you export logs from receiver 1 into receiver 2. The External data source link is applied to the logs being sent so that when logs are imported, the ESM can differentiate the forwarded events.

    Export in NitoFile format Use this option when you are exporting raw data source data.
    Data is NitroFile format Use this option when you are exporting raw data source data.
    Note: When you export data sources to a remote file, they are exported in NitroFile format. If you import those files to another Receiver automatically, Data is NitroFile is selected for each of the data sources you are importing. This indicates that the file is in NitroFile format. If you import them manually, you must select this box for each data source.
    Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the data source has a checksum file.
    Note: When imported automatically, Validate SHA1 checksum is selected for any data source that has a checksum file. If you import them manually, you must select it. The only exception is when you are importing a data source file that doesn't have a checksum file, but you want to view it anyway.