Azure Event Hubs

We are migrating servers mostly into Azure eastern zone but we are starting to put more in the Azure central zone.
We only have one event hub sending logs to our East hub.
We do have a collector in each zone.
Can and should you set up and event hub for each zone?
Is there any reason not to? Are there any "got ya’s to doing this or any tips that you might want to share?
thanks in advance!

Hi Tracey,

that approach sounds solid, by separating out the zones into unique event sources you will more easily be able to differentiate between the log sources in log search, as each event source would have a unique log.

One thing worth mentioning is that while you have azure event hubs configured, its also recommended to have the Insight Agent installed on these machines for process start collection as well as windows event logs.


1 Like

We only have one event hub sending logs to our East hub
I meant we have only one event hub sending to our collectors.

That method works too, ensuring that you configure the sources (sign-in logs, application logs etc.) to all point to the same event hub topic we will ingest whatever arrives at the topic.



i have a question, for the event hub what tier did you guys use?? basic, standard or premium?? also did you have to configure a storage account inside the eventhub??

hi @japonte , the event source uses the Kafka protocol to ingest data from an event hub. This is not supported on the basic tier so we recommend Standard as a minimum tier for support.

thanks for the quick response, in the storage account part? can i get away with using the minimum retention? does rapid7 ingest in realtime for the azure logs or does it do it in a time basis?

It should be near-realtime @japonte, I would say that one day retention is sufficient.