Integration Settings
'Log Forwarder' option allows you to forward Microsoft 365 audit logs to an external SIEM product or to a Syslog Server.
Forwarding Logs to Syslog Server
Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP receiver.
Configuring a Syslog Server
- Syslog daemon runs by default in UDP port 514.
- The default settings can be modified in its Syslog server's configurationfile/etc/syslog.conf.
- Remember to restart Syslog daemon for the changes to take effect.
Steps to enable Syslog Logging in Microsoft 365 manager Plus
- Go to the Settings tab.
- Select Admin → Administration → Log Forwarder in the left pane.
- Select Enable Log Forwarding checkbox.
- Select Syslog tab.
- Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which M365 Manager Plus is installed.
- Select the Protocol to be used.
- Enter the Port number.
- Select the Syslog Type as required by your SIEM parser, from the drop-down.
- If the Sysvlog Type you have chosen is RFC 3164, RFC 5424 or CEF, then you can configure the following Advanced settings:
- Choose Severity and Facility.
- Modify the data format in which the log will be converted.
- Click on the Save button.
Forwarding Microsoft 365 Logs to an external SIEM product : Splunk HTTP
Steps to configure Splunk Http Event Collector
- Login to your Splunk admin account.
- Select Settings from the top right corner of the Home page.
- Select Data Inputs under Data.
- Select HTTP Event Collector under Local inputs.
- Select New Token.
- Enter a Name for the token. (Preferably M365 Manager Plus).
- Customize the rest of the fields if required.
- Click Next.
- Customize the Input Settings if required.
- Click Review.
- Check your settings and click Submit.
- Copy and save the value in Token Value field. You will need it to configure M365 Manager Plus.
- Go to Settings → Data Inputs → HTTP Event Collector
- Select Global Settings and enable All Tokens.
- You can customize the HTTP Port Number and rest of the fields if required.
- Click Save.
Steps to configure M365 Manager Plus
- Login to M365 Manager Plus.
- Go to theSettings tab.
- Select Admin → Administration → Log Forwarder in the left pane.
- Select Enable Log Forwarding checkbox.
- Select Splunk tab.
- Enter the Server Name or IP.
- Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
- Enter the Token Value you had copied in step (12) of Splunk configuration in Authentication Token field.
- Click Save.
ADManager Plus
ADAudit Plus
ADSelfService Plus
M365 Manager Plus
Previous Topic