Integration Settings
'Log Forwarder' option allows you to forward Microsoft 365 audit logs to an external SIEM product or to a Syslog Server.
Forwarding Logs to Syslog Server:
Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP receiver.
Configuring a Syslog Server:
- Syslog daemon runs by default in UDP port 514.
- The default settings can be modified in its Syslog server's configurationfile/etc/syslog.conf.
- Remember to restart Syslog daemon for the changes to take effect.
Steps to enable Syslog Logging in Microsoft 365 manager Plus:
- Go to the Settings tab.
- Select Admin → Administration → Log Forwarder in the left pane.
- Select Enable Log Forwarding checkbox.
- Select Syslog tab.
- Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which M365 Manager Plus is installed.
- Select the Protocol to be used.
- Enter the Port number.
- Select the Syslog Type as required by your SIEM parser, from the drop-down.
- If the Sysvlog Type you have chosen is RFC 3164, RFC 5424 or CEF, then you can configure the following Advanced settings:
- Choose Severity and Facility.
- Modify the data format in which the log will be converted.
- Click on the Save button.
Forwarding Microsoft 365 Logs to an external SIEM product : Splunk HTTP
Steps to configure Splunk Http Event Collector:
- Login to your Splunk admin account.
- Select Settings from the top right corner of the Home page.
- Select Data Inputs under Data.
- Select HTTP Event Collector under Local inputs.
- Select New Token.
- Enter a Name for the token. (Preferably M365 Manager Plus).
- Customize the rest of the fields if required.
- Click Next.
- Customize the Input Settings if required.
- Click Review.
- Check your settings and click Submit.
- Copy and save the value in Token Value field. You will need it to configure M365 Manager Plus.
- Go to Settings → Data Inputs → HTTP Event Collector
- Select Global Settings and enable All Tokens.
- You can customize the HTTP Port Number and rest of the fields if required.
- Click Save.
Steps to configure M365 Manager Plus:
- Login to M365 Manager Plus.
- Go to theSettings tab.
- Select Admin → Administration → Log Forwarder in the left pane.
- Select Enable Log Forwarding checkbox.
- Select Splunk tab.
- Enter the Server Name or IP.
- Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
- Enter the Token Value you had copied in step (12) of Splunk configuration in Authentication Token field.
- Click Save.