Fortinet black logo

Integrating with Azure Event Hub

Copy Link
Copy Doc ID 6be4f260-fd12-11e8-b86b-00505692583a:698840

Integrating with Azure Event Hub

You can integrate FortiWeb-VM with Azure Security Center (ASC) by pushing log messages (event logs, security and health alerts) to an Azure Event Hub. Configuration for the integration starts with connecting the Azure Event Hub to FortiWeb-VM first through either a CLI command or Azure PowerShell. Both the ways will ask you to input necessary information of the event hub you would like to connect to, the asked parameters are:

  • Service Bus Namespace: The Service Bus Namespace that the Event Hub is created at. This will be required later for parameter servicebus_namespace.
  • Name of the Event Hub: This will be required later for parameter eventhub_name.
  • Subscription (ID): The subscription (ID) that has the access to the Event Hub. This will be required later for parameter subscription_id.
  • Policy name: Name of the Shared Access policy you created for the Event Hub. This will be required later for parameter policy_name.
  • Primary key: The primary shared access key that the above policy uses for Shared Access Signature authentication on the Event Hub. This will be required later for parameter primary_key.
To collect information of an Azure event hub

You can collect the values through the Azure classic portal.

  1. To obtain the servicebus_namespace value, navigate to Event Hubs in the Azure portal.
  2. Locate the appropriate namespace in the list of namespaces and record its name.
  3. To obtain the eventhub_name value, click the namespace item you are using, and then click Event Hubs.
  4. Record the event hub name that is displayed.
  5. To obtain the subscription_id value (displayed in Azure as a Subscription value), first click the name of the event hub you are using to display its properties.
  6. Record the Subscription value found in the bottom-right area of the event hub's dashboard. Use this value for subscription_id.
  7. To access the event hub policy that provides the policy_name and primary_key values, in the event hub properties, click Configure.
  8. Record the values Policy Name and Primary Key values.

    So far you have the parameters prepared for connecting the event hub to FortiWeb-VM through the CLI command or Azure PowerShell.
Connect the Azure event hub to FortiWeb-VM through CLI command

Execute the CLI command system eventhub with parameters you prepared as following to configure the Azure event hub settings on FortiWeb:

config system eventhub

set status enable

set appliance_id <subscription_id>

set policy_saskey <primary_key>

set policy_name <policy_name>

set eventhub_name <eventhub_name>

set servicebus_namespace <servicebus_namespace>

For more information on using the CLI, see the FortiWeb CLI Reference.

Connect the Azure event hub to FortiWeb-VM through Azure PowerShell

To connect an event hub to FortiWeb-VM through Azure PowerShell, you need to prepare the following files:

A PowerShell script: This is a script (.ps1) that you have to run it through Azure PowerShell to set login information of the Azure event hub into FortiWeb-VM.Contact to Fortinet Technical Support to obtain the script file.

A event hub configuration: This is a .json file containing the necessary information of the event hub. The above PowerShell script will require the .json file to complete configuration of Azure event hub auto-login for FortiWeb-VM. You can edit the following text and save it as a .json file (for example, logging.json) for using:

{

"Logging": {

"ApplianceID": "<subscription_id>",

"LoggingLevel": "Alert",

"Template": "CEF",

"Connection": {

"PolicySASKey": "<primary_key>",

"PolicyName": "<policy_name>",

"EventHubName": "<eventhub_name>",

"ServiceBusNamespace": "<servicebus_namespace>"

}

}

}

, where <subscription_id>, <primary_key>, <policy_name>, <eventhub_name> and <servicebus_namespace> are the parameters that you have to edit them according to the real practice. Please remain the whole content above unchanged except the parameters, and save the .json file in your local computer.

Login to Azure PowerShell under your local Windows environment, execute the script (for example, customScriptWrapper.ps1) on Azure PowerShell as following to configure the Azure event hub settings to FortiWeb:

PS C:\> ./customScriptWrapper.ps1

-loggingPath "<json_path>"

-fileUris @("http://mystorage.blob.core.windows.net/partners/config-eventhub.sh")

-vmname "FWBQAfwbtest1"

-rgname "fortiwebtest1"

-subscriptionId "<subscription_id>"

-scriptToRun "config-eventhub.sh"

, where <json_path> is the path you save the json file in local computer (for example, C:\Users\username\Desktop\logging.json), and <subscription_id> is the subscription (ID) that has the access to the Event Hub. Please do not change the inputs above for parameters fileUris, vmname, rgname and scriptToRun.

Besides the configuration for connecting the Event Hub to FortiWeb-VM, you are required to create a SIEM policy and configure the Global Log Settings to push event logs of FortiWeb-VM to the connected Event Hub. See the FortiWeb Administration Guide.

Integrating with Azure Event Hub

You can integrate FortiWeb-VM with Azure Security Center (ASC) by pushing log messages (event logs, security and health alerts) to an Azure Event Hub. Configuration for the integration starts with connecting the Azure Event Hub to FortiWeb-VM first through either a CLI command or Azure PowerShell. Both the ways will ask you to input necessary information of the event hub you would like to connect to, the asked parameters are:

  • Service Bus Namespace: The Service Bus Namespace that the Event Hub is created at. This will be required later for parameter servicebus_namespace.
  • Name of the Event Hub: This will be required later for parameter eventhub_name.
  • Subscription (ID): The subscription (ID) that has the access to the Event Hub. This will be required later for parameter subscription_id.
  • Policy name: Name of the Shared Access policy you created for the Event Hub. This will be required later for parameter policy_name.
  • Primary key: The primary shared access key that the above policy uses for Shared Access Signature authentication on the Event Hub. This will be required later for parameter primary_key.
To collect information of an Azure event hub

You can collect the values through the Azure classic portal.

  1. To obtain the servicebus_namespace value, navigate to Event Hubs in the Azure portal.
  2. Locate the appropriate namespace in the list of namespaces and record its name.
  3. To obtain the eventhub_name value, click the namespace item you are using, and then click Event Hubs.
  4. Record the event hub name that is displayed.
  5. To obtain the subscription_id value (displayed in Azure as a Subscription value), first click the name of the event hub you are using to display its properties.
  6. Record the Subscription value found in the bottom-right area of the event hub's dashboard. Use this value for subscription_id.
  7. To access the event hub policy that provides the policy_name and primary_key values, in the event hub properties, click Configure.
  8. Record the values Policy Name and Primary Key values.

    So far you have the parameters prepared for connecting the event hub to FortiWeb-VM through the CLI command or Azure PowerShell.
Connect the Azure event hub to FortiWeb-VM through CLI command

Execute the CLI command system eventhub with parameters you prepared as following to configure the Azure event hub settings on FortiWeb:

config system eventhub

set status enable

set appliance_id <subscription_id>

set policy_saskey <primary_key>

set policy_name <policy_name>

set eventhub_name <eventhub_name>

set servicebus_namespace <servicebus_namespace>

For more information on using the CLI, see the FortiWeb CLI Reference.

Connect the Azure event hub to FortiWeb-VM through Azure PowerShell

To connect an event hub to FortiWeb-VM through Azure PowerShell, you need to prepare the following files:

A PowerShell script: This is a script (.ps1) that you have to run it through Azure PowerShell to set login information of the Azure event hub into FortiWeb-VM.Contact to Fortinet Technical Support to obtain the script file.

A event hub configuration: This is a .json file containing the necessary information of the event hub. The above PowerShell script will require the .json file to complete configuration of Azure event hub auto-login for FortiWeb-VM. You can edit the following text and save it as a .json file (for example, logging.json) for using:

{

"Logging": {

"ApplianceID": "<subscription_id>",

"LoggingLevel": "Alert",

"Template": "CEF",

"Connection": {

"PolicySASKey": "<primary_key>",

"PolicyName": "<policy_name>",

"EventHubName": "<eventhub_name>",

"ServiceBusNamespace": "<servicebus_namespace>"

}

}

}

, where <subscription_id>, <primary_key>, <policy_name>, <eventhub_name> and <servicebus_namespace> are the parameters that you have to edit them according to the real practice. Please remain the whole content above unchanged except the parameters, and save the .json file in your local computer.

Login to Azure PowerShell under your local Windows environment, execute the script (for example, customScriptWrapper.ps1) on Azure PowerShell as following to configure the Azure event hub settings to FortiWeb:

PS C:\> ./customScriptWrapper.ps1

-loggingPath "<json_path>"

-fileUris @("http://mystorage.blob.core.windows.net/partners/config-eventhub.sh")

-vmname "FWBQAfwbtest1"

-rgname "fortiwebtest1"

-subscriptionId "<subscription_id>"

-scriptToRun "config-eventhub.sh"

, where <json_path> is the path you save the json file in local computer (for example, C:\Users\username\Desktop\logging.json), and <subscription_id> is the subscription (ID) that has the access to the Event Hub. Please do not change the inputs above for parameters fileUris, vmname, rgname and scriptToRun.

Besides the configuration for connecting the Event Hub to FortiWeb-VM, you are required to create a SIEM policy and configure the Global Log Settings to push event logs of FortiWeb-VM to the connected Event Hub. See the FortiWeb Administration Guide.