-
Feature Request
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
-
-
None
-
-
None
-
None
-
None
1. Proposed title of this feature request
Forward Azure Log Analytics into Microsoft Sentinel via the ClusterLogForwarder API from RHOCP 4
2. What is the nature and description of the request?
Currenty available ways to get log data into Microsoft Sentinel -
1. CEF-formatted events via syslog - https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format
But OpenShift's log messages are not CEF-formatted.
2. Microsoft Sentinel Data Collector API - https://docs.microsoft.com/en-us/azure/sentinel/connect-rest-api-template
The data collector API is just the Azure Monitor HTTP Data Collector API - https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api
And data can be sent via - https://github.com/yokawasa/fluent-plugin-azure-loganalytics
For now customer is deploying their own fluentd that uses this plugin to send the log messages to Azure Log Analyrics.
And configure the ClusterLogForwarder to send message to it via the fluentd protocol.
Need help to check and implement (if it is possible) to include a module in the openshift-logging fluentd image to add support for forwarding to Azure Log Analytics via the ClusterLogForwarder API.
[ As it is already done for e.g. cloudwatch]
3. Why does the customer need this? (List the business requirements here)
Customers are configuring all hosting platforms to send log messages to Microsoft Sentinel for monitoring/threat detection/etc.
They are using OpenShift to deploy national health screening systems, and getting log event data into Microsoft Sentinel is important for their cybersecurity dept.
- is cloned by
-
RFE-8147 Allow OCP to forward logs to Azure Log Analytics via a private endpoint (DCE/DCR) using the ClusterLogForwarder API
-
- Backlog
-