[KB] Configure Log Forwarder in O365 Manager Plus

[KB] Configure Log Forwarder in O365 Manager Plus

O365 Manager Plus' Log Forwarder' option allows you to forward Office 365 audit logs to an external SIEM product or to a Syslog server.


Forwarding logs to Syslog Server:

Syslog is the event logging service in unix systems.You may also use this setting to forward logs to your SIEM's UDP or TCP receiver.

Configuring a Syslog Server:

  1. Syslog daemon runs in UDP port 514 by default.
  2. The default settings can be modified in the Syslog server's path configurationfile/etc/syslog.conf.
  3. Remember to restart Syslog daemon for the changes to take effect.

Steps to enable Syslog logging in O365 Manager Plus:

  1. Go to Admin tab.
  2. Select General Settings → Log Forwarder in the left pane.
  3. Select the Enable Log Forwarding checkbox.
  4. Click the Syslog tab.
  5. Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which O365 Manager Plus is installed.
  6. Select the Protocol to be used.
  7. Enter the Port number.
  8. Select the Syslog Type as required by your SIEM parser from the drop-down.

 

Forwarding Office 365 logs to an external SIEM product: Splunk HTTP

 

Steps to configure Splunk HTTP event collector: 

  1. Login to your Splunk admin account.
  2. Select Settings from the top right corner of the Home page.
  3. Select Data Inputs under Data.
  4. Select HTTP Event Collector under Local inputs.
  5. Select New Token.
  6. Enter a Name for the token. (Preferably O365 Manager Plus).
  7. Customize the rest of the fields if required.
  8. Click Next.
  9. Customize the Input Settings if required.
  10. Click Review.
  11. Check your settings and click Submit.  
  12. Copy and save the value in Token Value field. You will need it to configure O365 Manager Plus.
  13. Go to Settings --> Data Inputs--> HTTP Event Collector
  14. Select Global Settings and enable All Tokens.
  15. You can customize the HTTP Port Number and rest of the fields if required.
  16. Click Save.

Steps to configure O365 Manager Plus: 

  1. Login to O365 Manager Plus.
  2. Go to Admin tab.
  3. Select General Settings → Log Forwarder in the left pane.
  4. Select the Enable Log Forwarding checkbox.
  5. Click the Splunk tab.
  6. Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
  7. Enter the Token Value you had copied in step 12 of Splunk configuration in the Authentication Token field.
  8. Click Save.

 

 Read more about O365 Manager Plus, here.

 

 



            New to M365 Manager Plus?
            New to M365 Manager Plus?
              New to RecoveryManager Plus?
              New to RecoveryManager Plus?
                New to Exchange Reporter Plus?
                New to Exchange Reporter Plus?
                  New to SharePoint Manager Plus?
                  New to SharePoint Manager Plus?
                    See all integrations
                    New to ADManager Plus?
                    See all integrations
                    New to ADManager Plus?

                      New to ADSelfService Plus?

                      Start your free trial
                      Start your free trial
                          Related Products