Azure Solution for Streaming Logs - SIEM

Nouman Khan 21 Reputation points


I am planning to use Azure sentinel for my on-premises and cloud workloads/devices.
Like any other SIEM solution, Sentinel requires you to have a log collector where all the devices(Syslog,CEF) can send the logs and than they are transported to Sentinel for analysis.
Now, i have a large no of devies - in thousand. The main issue is that each time I change my SIEM/syslog solution, I need to point the devices to the next log collector - a different IP - it is a hectic job. Secondly, log collectors are proprietary and require engineering to maintain high-availability and reliability.

Can i have a middleware where we can send the logs and later send to any SIEM, etc for analysis? In this way we donot have to edit the devices config each time the SIEM solution is changed?

Can Azure data factory do this job? Stream the logs to Data Factory and than send the Sentinel/SIEM?
Are there any downsides to this approach?

thanks foe the support.

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,127 questions
Azure Data Lake Analytics
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,057 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,543 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Gary Bushey 176 Reputation points

    You can also take a look at using an Event Hub but you would need to write a Logic App or Azure Function (probably better) to ingest the data into MS Sentinel.

    BTW, why do you have to change your syslog solution? Can't you create a high-availability solution behind a single IP address?