Log Forwarder
'Log Forwarder' option allows you to forward Microsoft 365 audit logs to an external SIEM product or to a Syslog Server.
Forwarding Logs to Syslog Server:
Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP receiver.
Configuring a Syslog Server:
- Syslog daemon runs by default in UDP port 514.
- The default settings can be modified in its Syslog server's configurationfile/etc/syslog.conf.
- Remember to restart Syslog daemon for the changes to take effect.
Steps to enable Syslog Logging in M365 Security Plus:
- Navigate to Settings → Admin → Administration → Integration Settings in the left pane. Select Log Forwarder.
- Select Enable Log Forwarding checkbox.
- Select Syslog tab.
- Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which M365 Security Plus is installed.
- Select the Protocol to be used.
- Enter the Port number.
- Select the Syslog Type as required by your SIEM parser, from the drop-down.
Forwarding Microsoft 365 Logs to an external SIEM product : Splunk HTTP
Steps to configure Splunk Http Event Collector:
- Login to your Splunk admin account.
- Select Settings from the top right corner of the Home page.
- Select Data Inputs under Data.
- Select HTTP Event Collector under Local inputs.
- Select New Token.
- Enter a Name for the token. (Preferably M365 Security Plus).
- Customize the rest of the fields if required.
- Click Next.
- Customize the Input Settings if required.
- Click Review.
- Check your settings and click Submit.
- Copy and save the value in Token Value field. You will need it to configure M365 Security Plus.
- Go to Settings → Data Inputs → HTTP Event Collector
- Select Global Settings and enable All Tokens.
- You can customize the HTTP Port Number and rest of the fields if required.
- Click Save.
Steps to configure M365 Security Plus:
- Login to M365 Security Plus.
- Navigate to Settings → Admin → Administration → Integration Settings in the left pane. Select Log Forwarder.
- Select Enable Log Forwarding checkbox.
- Select Splunk tab.
- Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
- Enter the Token Value you had copied in step (12) of Splunk configuration in Authentication Token field.
- Click Save.
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding