We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Azure OMS Log Streaming

  • Last updated on

To stream log data and custom metrics from your firewall to Microsoft OMS in Azure, you must connect the firewall VM to your OMS workspace and configure syslog streaming on the firewall to send the syslog stream to Azure OMS. On the Azure side, the virtual machines are connected to the OMS workspace. All selected log files are then streamed to Azure OMS, where they can be stored, analyzed, or processed.

oms.png

 

Custom VPN Metrics
  • Client-to-site VPN tunnels        
  • SSL VPN clients
  • Site-to-site VPN tunnels up
  • Site-to-site VPN tunnels down
Custom System Metrics
  • Load
  • Used memory
  • Protected IPs
Custom Firewall Metrics
  • Bytes in
  • Bytes out
  • Bytes total
  • Packets in
  • Packets out
  • Packets total
  • Connections dropped
  • IPS Hits
  • Forwarding Connections new
  • Forwarding Connections total
  • Connections new
  • Connections total
  • Connections blocked
  • Connections failed

Step 1. Create OMS Workspace

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click More Services and go to Log Analytics.
    oms_01.png
  3. In the Log Analytics blade, click Add.

    oms_02.png

  4. In the OMS Workspace blade, enter:
    • OMS Workspace – Enter a name for the OMS workspace. The OMS workspace is then reachable via YOURNAME.portal.mms.microsoft.com
    • Resource Group – Select an existing resource group, or create a new dedicated resource group for your OMS workspace. 
    • Location – Select the geographical location where the data for your workspace will be stored.
    • Pricing tier – Select the pricing tier. 
    oms_03.png
  5. Click OK.

Click Refresh in the Log Analytics blade to display the new OMS workspace.

oms_04.png

Step 2. Connect Virtual Machines to OMS Workspace

  1. Log into the Azure portal: https://portal.azure.com.
  2. In the left menu, click More Services and go to Log Analytics.
  3. In the Log Analytics blade, click the OMS workspace created in step 1.
  4. In the Workspace data sources section, click Virtual machines.
  5. In the OM Connection column, click on Not Connected. The Virtual machine blade opens.
    oms_05.png
  6. Click Connect.
    oms_06.png

It may take a couple of minutes for the extension to be installed on the firewall.

oms_07.png

Step 3. Enable the Syslog Streaming on the Firewall VM

Enable syslog streaming on the firewall.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. Click Lock.
  3. Set Enable Syslog Streaming to yes.
    oms_08.png
  4. Click Send Changes and Activate.

Step 4. Configure Logdata Filters

Define profiles specifying the log file types to be transferred / streamed. Log file are classified into top level, box level, and service level log data sources.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logdata Filters.
  3. Click Lock.
  4. In the Filters table, click + to add a new filter. The Filters window opens.
  5. Enter a Name
  6. Click OK.
  7. In the Data Selection table, add the Top Level Log Files log files to be streamed. You can select:
    • Fatal_log
    • Firewall_Audit_Log – The firewall audit log must be enabled and configured, and Audit Delivery must be set to Syslog Proxy. For more information, see How to Enable the Firewall Audit Log Service. Alternatively, the firewall audit log can also be streamed as a part of the firewall service logs.
    • Panic_log

    oms_09.png
  8. Configure the Box Level Logfile filters:
    1. From the Data Selector list, select which files for this category are streamed:
      • All – All box level logs are streamed.
      • None – Box level logs are not streamed.
      • Selection – Only box level log files defined in the Data Selection list are streamed.
      oms_10.png
    2. (Selection only) Click + to add custom filters to the Data Selection table.
      1. In the Log Groups table, click +.
      2. Select the box level log files, or select Other to enter a user defined log group pattern to stream log files matching this pattern.
      3. (optional) From the Log Level Filter list, select the message types from the log group that are streamed.
      4. (Selection only) In the Selected Messages Types table, click + to add message types.
      oms_11.png
  9. Configure the Service Level Logfile filters:
    1. From the Data Selector list, select which files for this category are streamed:
      • All – All service logs are streamed.
      • None – Service level logs are not streamed.
      • Selection – Only service level log files defined in the Data Selection list are streamed.
    2. (Selection only) Click + to add custom filters to the Data Selection table.
      1. In the Log Groups table, click +.
      2. Select the box level log files, or select Other to enter a user defined log group pattern to stream log files matching this pattern.
      3. (optional) From the Log Level Filter list, select the message types from the log group that are streamed.
      4. (Selection only) In the Selected Messages Types table, click + to add message types.
      5. Click OK.
    oms_12.png
  10. Click Send Changes and Activate.

Step 5. Configure Microsoft OMS as the Logstream Destination

Configure the firewall to send the syslog stream to OMS.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logstream Destinations.
  3. Click Lock.
  4. In the Destinations table, click + to add a new filter. The Destinations window opens.
  5. Enter a Name
  6. Click OK.
  7. From the Logstream Destination list, select Microsoft OMS.
    oms_13.png
  8. Click OK.
  9. Click Send Changes and Activate.

Step 6. Configure the Logdata Streams to Microsoft OMS

Combine the logdata filters and logstream destination to a logdata stream.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logdata Streams.
  3. Click Lock. 
  4. In the Streams table, click + to add a new syslog stream. The Streams window opens.
  5. Enter a Name
  6. Click OK.  
  7. Set Active Stream to yes 
  8. In the Log Destinations table, click + and select the logstream destination configured in step 5.
  9. In the Log Filters table, click + and select the logdata filter configured in step 4.
    oms_14.png
  10. Click OK.
  11. Click Send Changes and Activate.

All logs covered by the logdata filter are now streamed to Azure OMS. It might take some time for logs to be displayed in the OMS portal.

Last updated on