Azure Event Hubs

We are migrating servers mostly into Azure eastern zone but we are starting to put more in the Azure central zone.
We only have one event hub sending logs to our East hub.
We do have a collector in each zone.
Can and should you set up and event hub for each zone?
Is there any reason not to? Are there any "got ya’s to doing this or any tips that you might want to share?
thanks in advance!

Hi Tracey,

that approach sounds solid, by separating out the zones into unique event sources you will more easily be able to differentiate between the log sources in log search, as each event source would have a unique log.

One thing worth mentioning is that while you have azure event hubs configured, its also recommended to have the Insight Agent installed on these machines for process start collection as well as windows event logs.

David

1 Like

We only have one event hub sending logs to our East hub
I meant we have only one event hub sending to our collectors.

That method works too, ensuring that you configure the sources (sign-in logs, application logs etc.) to all point to the same event hub topic we will ingest whatever arrives at the topic.

David

Hi,

i have a question, for the event hub what tier did you guys use?? basic, standard or premium?? also did you have to configure a storage account inside the eventhub??

hi @japonte , the event source uses the Kafka protocol to ingest data from an event hub. This is not supported on the basic tier so we recommend Standard as a minimum tier for support.

thanks for the quick response, in the storage account part? can i get away with using the minimum retention? does rapid7 ingest in realtime for the azure logs or does it do it in a time basis?

It should be near-realtime @japonte, I would say that one day retention is sufficient.

Hi @david_smith,

I have a question related to Azure event source. Since we have created event hub for each subscription, do we need to create Azure event source for each event hub. Or do we have an option in azure to send all subscription activity logs to one event hub.
We are already sending all azure audit logs and one event hub to collector. Do we need to create an event source for each event hub.

@kabbi2 you need a unique event source for each topic you wish to follow, if you have multiple streams of data I think it would make sense to separate them out to be unique event sources

1 Like

Thanks for the quick response, @david_smith