Skip to main content

Azure Monitor & Sentinel Setup for Enforza Log Collection (via Portal)

This guide walks you through setting up Azure Monitor and Microsoft Sentinel integration using the Azure Portal to collect Enforza firewall logs from your deployed infrastructure. This assumes you already have a Log Analytics workspace configured.

Prerequisites

  • ✅ Azure Portal access with appropriate permissions
  • ✅ Log Analytics workspace already exists
  • ✅ Your Terraform deployment is already running
  • ✅ SSH access to your Enforza VM

Step 1: Install Azure Monitor Agent

  1. Navigate to your VM in the Azure Portal:

    • Go to Virtual Machines → Select your Enforza VM (e.g., enforza-vm)
  2. Install the Azure Monitor Agent Extension:

    • In the left sidebar, click Extensions + applications
    • Click + Add
    • Search for "Azure Monitor Agent"
    • Select Azure Monitor Agent by Microsoft
    • Click NextCreate
    • Wait for installation to complete (~2-3 minutes)

Step 2: Configure VM Managed Identity

  1. Enable System-Assigned Managed Identity:

    • Still in your VM settings, click Identity in the left sidebar
    • Under System assigned tab, toggle Status to On
    • Click Save and confirm
  2. Assign Required Role:

    • Once enabled, click Azure role assignments
    • Click + Add role assignment
    • Configure:
      • Scope: Subscription
      • Subscription: Your subscription
      • Role: Monitoring Metrics Publisher
    • Click Save

Step 3: Enable Microsoft Sentinel (Optional)

  1. Navigate to Microsoft Sentinel:

    • In the Azure Portal search bar, type "Microsoft Sentinel"
    • Click Microsoft Sentinel
  2. Add Workspace:

    • Click + Add
    • Select your existing Log Analytics workspace
    • Click Add Microsoft Sentinel
    • Wait for deployment to complete

Step 4: Create Data Collection Endpoint (DCE)

  1. Navigate to Monitor:

    • Search for "Monitor" in the Azure Portal
    • Click Monitor
  2. Create Data Collection Endpoint:

    • In the left sidebar, under Settings, click Data Collection Endpoints
    • Click + Create
    • Configure:
      • Subscription: Your subscription
      • Resource Group: Same as your Log Analytics workspace
      • Name: enforza-dce
      • Region: Same as your workspace region
    • Click Review + CreateCreate

Step 5: Create Custom Log Table

  1. Navigate to your Log Analytics Workspace:

    • Go to Log Analytics workspaces → Select your workspace
  2. Create Custom Table:

    • In the left sidebar, under Settings, click Tables
    • Click + CreateNew custom log (DCR-based)
    • Configure:
      • Table name: EnforzaLogs_CL
      • Data source type: Log file
    • Click Next
  3. Configure Data Source:

    • File pattern: /var/log/ulog/enforza*.log
    • Table name: Keep as EnforzaLogs_CL
    • Transform: Leave as default
    • Click Next
  4. Review and Create:

    • Review settings and click Create

Step 6: Create Data Collection Rule (DCR)

  1. Navigate to Data Collection Rules:

    • In Monitor, go to Data Collection Rules (under Settings)
    • Click + Create
  2. Basic Configuration:

    • Rule name: enforza-ulog-dcr
    • Subscription: Your subscription
    • Resource Group: Same as your workspace
    • Region: Same as your workspace region
    • Platform Type: Linux
    • Click Next: Resources
  3. Add Resources:

    • Click + Add resources
    • Find and select your Enforza VM
    • Click Apply
    • Click Next: Collect and deliver
  4. Configure Data Source:

    • Click + Add data source
    • Data source type: Log files
    • Name: enforza-ulog-files
    • File pattern: /var/log/ulog/enforza*.log
    • Transform: Leave as default
    • Destination: Your Log Analytics workspace
    • Destination table: EnforzaLogs_CL
    • Click Add data source
  5. Review and Create:

    • Click Next: Review + create
    • Click Create

Step 7: Verify Data Collection Endpoint Association

  1. Link DCR to DCE:
    • Go back to your newly created Data Collection Rule
    • In the left sidebar, click Configuration
    • Under Data collection endpoint, click Change
    • Select your enforza-dce endpoint
    • Click Apply

Step 8: Restart Azure Monitor Agent

  1. Connect to your VM via SSH:

    ssh azureuser@YOUR_VM_PUBLIC_IP
  2. Restart the Azure Monitor Agent:

    sudo systemctl restart azuremonitoragent
    sudo systemctl status azuremonitoragent
  3. Verify log directory exists:

    sudo mkdir -p /var/log/ulog
    sudo chmod 755 /var/log/ulog
    ls -la /var/log/ulog/

Step 9: Test Log Collection

  1. Generate Test Logs:

    # SSH into your VM
    echo "Test firewall log entry - $(date)" | sudo tee -a /var/log/ulog/enforza-fw.log
  2. Verify Log Files:

    sudo ls -la /var/log/ulog/
    sudo cat /var/log/ulog/enforza-fw.log

Step 10: Query Logs in Azure Portal

  1. Navigate to Log Analytics:

    • Go to your Log Analytics workspace
    • In the left sidebar, click Logs
  2. Wait for Data Ingestion (5-15 minutes):

    • Initial log ingestion can take time
    • The custom table EnforzaLogs_CL will appear once data starts flowing
  3. Sample KQL Queries:

    View recent logs:

    EnforzaLogs_CL
    | limit 100
    | order by TimeGenerated desc

    Search for test entries:

    EnforzaLogs_CL
    | where RawData contains "Test"
    | project TimeGenerated, RawData

    Count logs by hour:

    EnforzaLogs_CL
    | summarize LogCount = count() by bin(TimeGenerated, 1h)
    | render timechart

Verification Checklist

Use this checklist to ensure everything is configured correctly:

✅ VM Configuration

  • Azure Monitor Agent extension installed
  • System-assigned managed identity enabled
  • "Monitoring Metrics Publisher" role assigned
  • Azure Monitor Agent service running

✅ Data Collection Setup

  • Data Collection Endpoint created (enforza-dce)
  • Data Collection Rule created (enforza-ulog-dcr)
  • DCR associated with your VM
  • DCR linked to Data Collection Endpoint
  • Custom log table created (EnforzaLogs_CL)

✅ Log Files

  • /var/log/ulog/ directory exists
  • Directory has proper permissions (755)
  • Test log files created and readable
  • Azure Monitor Agent can access log directory

✅ Data Flow

  • Logs appearing in EnforzaLogs_CL table (wait 5-15 minutes)
  • KQL queries returning data
  • Microsoft Sentinel enabled (optional)

Troubleshooting

No Logs Appearing

  1. Check Agent Status:

    sudo systemctl status azuremonitoragent
    sudo journalctl -u azuremonitoragent -f
  2. Verify File Permissions:

    sudo ls -la /var/log/ulog/
    sudo chmod 644 /var/log/ulog/*.log # Make files readable
  3. Check DCR Association:

    • In Portal: Data Collection Rules → Your DCR → Resources
    • Ensure your VM is listed and associated

Agent Not Working

  1. Reinstall Extension:

    • VM → Extensions → Remove Azure Monitor Agent
    • Wait 5 minutes → Re-add extension
  2. Check Identity:

    • VM → Identity → Verify system-assigned is enabled
    • Check Azure role assignments are present

Data Collection Issues

  1. Verify DCE Configuration:

    • Monitor → Data Collection Endpoints → Your DCE
    • Check it's in same region as workspace
  2. Check DCR Settings:

    • Monitor → Data Collection Rules → Your DCR
    • Verify file patterns match: /var/log/ulog/enforza*.log
    • Confirm destination table is EnforzaLogs_CL

Portal Navigation Quick Reference

TaskPortal Location
VM ExtensionsVirtual Machines → [VM] → Extensions + applications
VM IdentityVirtual Machines → [VM] → Identity
Microsoft SentinelSearch "Microsoft Sentinel"
Data Collection EndpointsMonitor → Data Collection Endpoints
Data Collection RulesMonitor → Data Collection Rules
Log Analytics TablesLog Analytics workspaces → [Workspace] → Tables
Query LogsLog Analytics workspaces → [Workspace] → Logs

Summary

After completing this portal-based setup, you will have:

Azure Monitor Agent collecting logs from /var/log/ulog/enforza*.log
Data Collection Rule processing and routing log data via portal configuration
Custom log table EnforzaLogs_CL in your Log Analytics workspace
Data Collection Endpoint handling log ingestion
VM managed identity with proper permissions configured via portal
Microsoft Sentinel enabled for advanced security analytics (optional)

Your Enforza firewall logs will be available for querying, alerting, and analysis in Azure Monitor and Sentinel, all configured through the Azure Portal interface.