Ingest IIS logfiles into Log Analytics Workspace for use by Sentinel

Markus Radszuweit 65 Reputation points
2023-01-16T15:36:38.3533333+00:00

We have some apps running on Azure with App Service Logs turned on. These logs are streamed to a storage account as IIS logfiles in W3C format. Now we would like to analyze these logs with Azure Sentinel.

I'm new to Azure Sentinel but if I understood it correctly it sits on top of Azure Analytics Workspace. The connectors just call APIs of external or Azure services to acquire data and save it in the workspace in tables (+ some workbooks). I didn't find any connector for data ingestion from Azure Storage account.

If there is no connector for that, has data ingestion to be configuring by the underlying analytics workspace ? Unfortunately I didn't find anything here either. Under "Agent management" and "Custom Logs" there seems to be only the possibility to ingest logs from virtual machines or servers, not from storage accounts.

Has anybody an idea or further explanation ?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,740 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,606 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
958 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,685 questions
0 comments No comments
{count} vote

Accepted answer
  1. Stanislav Zhelyazkov 20,076 Reputation points MVP
    2023-01-17T14:34:00.5566667+00:00

    Hi,

    There is not out of box option for ingesting logs located on storage account as the logs stored there could be in any format and structure. In your case I would recommend to enable diagnostic settings on the app service. The log type that you need to enable in your case I think is AppServiceHTTPLogs. With diagnostic settings you will be able to send that log to Log Analytics. Here is example of that log used for troubleshooting. Sentinel uses Log Analytics workspace as platform for saving and storing logs. Any log available in Log Analytics is available for Sentinel as well.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful