Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2753

Forward Azure Log Analytics into Microsoft Sentinel via the ClusterLogForwarder API from RHOCP 4.x

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • Logging
    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None

      1. Proposed title of this feature request
      Forward Azure Log Analytics into Microsoft Sentinel via the ClusterLogForwarder API from RHOCP 4

      2. What is the nature and description of the request?
      Currenty available ways to get log data into Microsoft Sentinel -
      1. CEF-formatted events via syslog - https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format
      But OpenShift's log messages are not CEF-formatted.
      2. Microsoft Sentinel Data Collector API - https://docs.microsoft.com/en-us/azure/sentinel/connect-rest-api-template
      The data collector API is just the Azure Monitor HTTP Data Collector API - https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api
      And data can be sent via - https://github.com/yokawasa/fluent-plugin-azure-loganalytics 

      For now customer is deploying their own fluentd that uses this plugin to send the log messages to Azure Log Analyrics.
      And configure the ClusterLogForwarder to send message to it via the fluentd protocol.

      Need help to check and implement (if it is possible) to include a module in the openshift-logging fluentd image to add support for forwarding to Azure Log Analytics via the ClusterLogForwarder API.
      [ As it is already done for e.g. cloudwatch]

      3. Why does the customer need this? (List the business requirements here)
      Customers are configuring all hosting platforms to send log messages to Microsoft Sentinel for monitoring/threat detection/etc.
      They are using OpenShift to deploy national health screening systems, and getting log event data into Microsoft Sentinel is important for their cybersecurity dept.

              jamparke@redhat.com Jamie Parker
              rhn-support-sdharma Suruchi Dharma
              None
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                None
                None