Azure Monitor & Sentinel Setup for Enforza Log Collection (via Portal)
This guide walks you through setting up Azure Monitor and Microsoft Sentinel integration using the Azure Portal to collect Enforza firewall logs from your deployed infrastructure. This assumes you already have a Log Analytics workspace configured.
Prerequisites
- ✅ Azure Portal access with appropriate permissions
- ✅ Log Analytics workspace already exists
- ✅ Your Terraform deployment is already running
- ✅ SSH access to your Enforza VM
Step 1: Install Azure Monitor Agent
-
Navigate to your VM in the Azure Portal:
- Go to Virtual Machines → Select your Enforza VM (e.g.,
enforza-vm
)
- Go to Virtual Machines → Select your Enforza VM (e.g.,
-
Install the Azure Monitor Agent Extension:
- In the left sidebar, click Extensions + applications
- Click + Add
- Search for "Azure Monitor Agent"
- Select Azure Monitor Agent by Microsoft
- Click Next → Create
- Wait for installation to complete (~2-3 minutes)
Step 2: Configure VM Managed Identity
-
Enable System-Assigned Managed Identity:
- Still in your VM settings, click Identity in the left sidebar
- Under System assigned tab, toggle Status to On
- Click Save and confirm
-
Assign Required Role:
- Once enabled, click Azure role assignments
- Click + Add role assignment
- Configure:
- Scope: Subscription
- Subscription: Your subscription
- Role: Monitoring Metrics Publisher
- Click Save
Step 3: Enable Microsoft Sentinel (Optional)
-
Navigate to Microsoft Sentinel:
- In the Azure Portal search bar, type "Microsoft Sentinel"
- Click Microsoft Sentinel
-
Add Workspace:
- Click + Add
- Select your existing Log Analytics workspace
- Click Add Microsoft Sentinel
- Wait for deployment to complete
Step 4: Create Data Collection Endpoint (DCE)
-
Navigate to Monitor:
- Search for "Monitor" in the Azure Portal
- Click Monitor
-
Create Data Collection Endpoint:
- In the left sidebar, under Settings, click Data Collection Endpoints
- Click + Create
- Configure:
- Subscription: Your subscription
- Resource Group: Same as your Log Analytics workspace
- Name:
enforza-dce
- Region: Same as your workspace region
- Click Review + Create → Create
Step 5: Create Custom Log Table
-
Navigate to your Log Analytics Workspace:
- Go to Log Analytics workspaces → Select your workspace
-
Create Custom Table:
- In the left sidebar, under Settings, click Tables
- Click + Create → New custom log (DCR-based)
- Configure:
- Table name:
EnforzaLogs_CL
- Data source type: Log file
- Table name:
- Click Next
-
Configure Data Source:
- File pattern:
/var/log/ulog/enforza*.log
- Table name: Keep as
EnforzaLogs_CL
- Transform: Leave as default
- Click Next
- File pattern:
-
Review and Create:
- Review settings and click Create
Step 6: Create Data Collection Rule (DCR)
-
Navigate to Data Collection Rules:
- In Monitor, go to Data Collection Rules (under Settings)
- Click + Create
-
Basic Configuration:
- Rule name:
enforza-ulog-dcr
- Subscription: Your subscription
- Resource Group: Same as your workspace
- Region: Same as your workspace region
- Platform Type: Linux
- Click Next: Resources
- Rule name:
-
Add Resources:
- Click + Add resources
- Find and select your Enforza VM
- Click Apply
- Click Next: Collect and deliver
-
Configure Data Source:
- Click + Add data source
- Data source type: Log files
- Name:
enforza-ulog-files
- File pattern:
/var/log/ulog/enforza*.log
- Transform: Leave as default
- Destination: Your Log Analytics workspace
- Destination table:
EnforzaLogs_CL
- Click Add data source
-
Review and Create:
- Click Next: Review + create
- Click Create
Step 7: Verify Data Collection Endpoint Association
- Link DCR to DCE:
- Go back to your newly created Data Collection Rule
- In the left sidebar, click Configuration
- Under Data collection endpoint, click Change
- Select your
enforza-dce
endpoint - Click Apply
Step 8: Restart Azure Monitor Agent
-
Connect to your VM via SSH:
ssh azureuser@YOUR_VM_PUBLIC_IP
-
Restart the Azure Monitor Agent:
sudo systemctl restart azuremonitoragent
sudo systemctl status azuremonitoragent -
Verify log directory exists:
sudo mkdir -p /var/log/ulog
sudo chmod 755 /var/log/ulog
ls -la /var/log/ulog/
Step 9: Test Log Collection
-
Generate Test Logs:
# SSH into your VM
echo "Test firewall log entry - $(date)" | sudo tee -a /var/log/ulog/enforza-fw.log -
Verify Log Files:
sudo ls -la /var/log/ulog/
sudo cat /var/log/ulog/enforza-fw.log
Step 10: Query Logs in Azure Portal
-
Navigate to Log Analytics:
- Go to your Log Analytics workspace
- In the left sidebar, click Logs
-
Wait for Data Ingestion (5-15 minutes):
- Initial log ingestion can take time
- The custom table
EnforzaLogs_CL
will appear once data starts flowing
-
Sample KQL Queries:
View recent logs:
EnforzaLogs_CL
| limit 100
| order by TimeGenerated descSearch for test entries:
EnforzaLogs_CL
| where RawData contains "Test"
| project TimeGenerated, RawDataCount logs by hour:
EnforzaLogs_CL
| summarize LogCount = count() by bin(TimeGenerated, 1h)
| render timechart
Verification Checklist
Use this checklist to ensure everything is configured correctly:
✅ VM Configuration
- Azure Monitor Agent extension installed
- System-assigned managed identity enabled
- "Monitoring Metrics Publisher" role assigned
- Azure Monitor Agent service running
✅ Data Collection Setup
- Data Collection Endpoint created (
enforza-dce
) - Data Collection Rule created (
enforza-ulog-dcr
) - DCR associated with your VM
- DCR linked to Data Collection Endpoint
- Custom log table created (
EnforzaLogs_CL
)
✅ Log Files
-
/var/log/ulog/
directory exists - Directory has proper permissions (755)
- Test log files created and readable
- Azure Monitor Agent can access log directory
✅ Data Flow
- Logs appearing in
EnforzaLogs_CL
table (wait 5-15 minutes) - KQL queries returning data
- Microsoft Sentinel enabled (optional)
Troubleshooting
No Logs Appearing
-
Check Agent Status:
sudo systemctl status azuremonitoragent
sudo journalctl -u azuremonitoragent -f -
Verify File Permissions:
sudo ls -la /var/log/ulog/
sudo chmod 644 /var/log/ulog/*.log # Make files readable -
Check DCR Association:
- In Portal: Data Collection Rules → Your DCR → Resources
- Ensure your VM is listed and associated
Agent Not Working
-
Reinstall Extension:
- VM → Extensions → Remove Azure Monitor Agent
- Wait 5 minutes → Re-add extension
-
Check Identity:
- VM → Identity → Verify system-assigned is enabled
- Check Azure role assignments are present
Data Collection Issues
-
Verify DCE Configuration:
- Monitor → Data Collection Endpoints → Your DCE
- Check it's in same region as workspace
-
Check DCR Settings:
- Monitor → Data Collection Rules → Your DCR
- Verify file patterns match:
/var/log/ulog/enforza*.log
- Confirm destination table is
EnforzaLogs_CL
Portal Navigation Quick Reference
Task | Portal Location |
---|---|
VM Extensions | Virtual Machines → [VM] → Extensions + applications |
VM Identity | Virtual Machines → [VM] → Identity |
Microsoft Sentinel | Search "Microsoft Sentinel" |
Data Collection Endpoints | Monitor → Data Collection Endpoints |
Data Collection Rules | Monitor → Data Collection Rules |
Log Analytics Tables | Log Analytics workspaces → [Workspace] → Tables |
Query Logs | Log Analytics workspaces → [Workspace] → Logs |
Summary
After completing this portal-based setup, you will have:
✅ Azure Monitor Agent collecting logs from /var/log/ulog/enforza*.log
✅ Data Collection Rule processing and routing log data via portal configuration
✅ Custom log table EnforzaLogs_CL
in your Log Analytics workspace
✅ Data Collection Endpoint handling log ingestion
✅ VM managed identity with proper permissions configured via portal
✅ Microsoft Sentinel enabled for advanced security analytics (optional)
Your Enforza firewall logs will be available for querying, alerting, and analysis in Azure Monitor and Sentinel, all configured through the Azure Portal interface.