Microsoft Azure Event Hubs protocol configuration options

The Microsoft Azure Event Hubs protocol is an outbound and active protocol for IBM® Security QRadar® that collects events from Microsoft Azure Event Hubs.

Important: By default, each Event Collector can collect events from up to 1000 partitions before it runs out of file handles. If you want to collect from more partitions, you can contact IBM Support for advanced tuning information and assistance. For more information, see IBM Support.

The following parameters require specific values to collect events from Microsoft Azure Event Hubs appliances:

Table 1. Microsoft Azure Event Hubs log source parameters
Parameter	Value
Use Event Hub Connection String	Authenticate with an Azure Event Hub by using a connection string. Note: The ability to toggle this switch to off is deprecated.
Event Hub Connection String	Authorization string that provides access to an Event Hub. For example, `Endpoint=sb://<Namespace Name>.servicebus.windows.net/;SharedAccess KeyNam Key Name>;SharedAccessKey=<SAS Key>; EntityPath=<Event Hub Name>`
Consumer Group	Specifies the view that is used during the connection. Each Consumer Group maintains its own session tracking. Any connection that shares consumer groups and connection information shares session tracking information.
Use Storage Account Connection String	Authenticates with an Azure Storage Account by using a connection string. Note: The ability to toggle this switch to off is deprecated.
Storage Account Connection String	Authorization string that provides access to a Storage Account. Access Key example: `DefaultEndpointsProtocol=https;AccountName=<Storage Account Name>;AccountKey=<Storage Account Key>;EndpointSuffix=core.windows.net` Shared Access Signature example: `BlobEndpoint=<Blob Endpoint>;QueueEndpoint=<Queue Endpoint>;FileEndpoint=<File Endpoint>;TableEndpoint=<Table Endpoint>;SharedAccessSignature=<Access Signature>`
Format Azure Linux Events To Syslog	Formats Azure Linux® logs to a single-line syslog format that resembles standard syslog logging from Linux systems.
Convert VNet Flow Logs to IPFIX	Microsoft Azure VNet Flow Logs. Select this option to send flow logs to the Network Activity tab in QRadar.
Flow HostName	Enable Convert VNet Flow Logs to IPFIX to configure this parameter. The flow processor hostname where the Microsoft Azure VNet Flow Logs are sent.
Flow Port	Enable Convert VNet Flow Logs to IPFIX to configure this parameter. The flow processor port where the Microsoft Azure VNet Flow Logs are sent.
Use as a Gateway Log Source	Select this option for the collected events to flow through the QRadar Traffic Analysis engine and for QRadar to automatically detect one or more log sources. When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events that are being processed.
Log Source Identifier Pattern	When the Use As A Gateway Log Source option is selected, use this option to define a custom log source identifier for events that are processed. If the Log Source Identifier Pattern is not configured, QRadar receives events as unknown generic log sources. The Log Source Identifier Pattern field accepts key-value pairs, such as key=value, to define the custom Log Source Identifier for events that are being processed and for log sources to be automatically discovered when applicable. Key is the Identifier Format String, which is the resulting source or origin value. Value is the associated regex pattern that is used to evaluate the current payload. The value (regex pattern) also supports capture groups, which can be used to further customize the key (Identifier Format String). Multiple key-value pairs can be defined by typing each pattern on a new line. When multiple patterns are used, they are evaluated in order until a match is found. When a match is found, a custom Log Source Identifier is displayed. The following examples show the multiple key-value pair functionality: Patterns `VPC=\sREJECT\sFAILURE` `$1=\s(REJECT)\sOK` `VPC-$1-$2=\s(ACCEPT)\s(OK)` Events `{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}` Resulting custom log source identifier VPC-ACCEPT-OK
Use Predictive Parsing	If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed. Enable predictive parsing only for log source types that you expect to receive high event rates and require faster parsing.
Use Proxy	When you configure a proxy, all traffic for the log source travels through the proxy to access the Azure Event Hub. After you enable this parameter, configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not need authentication, you can leave the Proxy Username and Proxy Password fields blank. Note: Digest Authentication for Proxy is not supported in the Java™ SDK for Azure Event Hubs. For more information, see Azure Event Hubs - Client SDKs (https://docs.microsoft.com/en-us/azure/event-hubs/sdks).
Proxy IP or Hostname	The IP address or hostname of the proxy server. This parameter appears when Use Proxy is enabled.
Proxy Port	The port number used to communicate with the proxy. The default value is 8080. This parameter appears when Use Proxy is enabled.
Proxy Username	The username for accessing the proxy server. This parameter appears when Use Proxy is enabled.
Proxy Password	The password for accessing the proxy server. This parameter appears when Use Proxy is enabled.
EPS Throttle	The maximum number of events per second (EPS). The default is 5000.

The following table describes the Microsoft Azure Event Hubs log source parameters that are deprecated:

Table 2. Deprecated Microsoft Azure Event Hubs log source parameters
Parameter	Value
Deprecated - Namespace Name	This option displays if Use Event Hub Connection String option is set to off. The name of the top-level directory that contains the Event Hub entities in the Microsoft Azure Event Hubs user interface.
Deprecated - Event Hub Name	This option displays if Use Event Hub Connection String option is set to off. The identifier for the Event Hub that you want to access. The Event Hub Name must match one of the Event Hub entities within the namespace.
Deprecated - SAS Key Name	This option displays if Use Event Hub Connection String option is set to off. The Shared Access Signature (SAS) name identifies the event publisher.
Deprecated - SAS Key	This option displays if Use Event Hub Connection String option is set to off. The Shared Access Signature (SAS) key authenticates the event publisher.
Deprecated - Storage Account Name	This option displays if Use Storage Account Connection String option is set to off. The name of the storage account that stores Event Hub data. The Storage Account Name is part of the authentication process that is required to access data in the Azure Storage Account.
Deprecated - Storage Account Key	This option displays if Use Storage Account Connection String option is set to off. An authorization key that is used for storage account authentication. The Storage Account Key is part of the authentication process that is required to access data in the Azure Storage Account.