Azure Monitor & Sentinel Setup for Enforza Log Collection (via CLI)
This guide walks you through setting up Azure Monitor and Microsoft Sentinel integration to collect Enforza firewall logs from your deployed infrastructure. This assumes you already have a Log Analytics workspace configured.
Prerequisites
- ✅ Azure CLI installed and authenticated
- ✅ Log Analytics workspace already exists
- ✅
jq
utility installed for JSON processing - ✅ Appropriate permissions on your Azure subscription
- ✅ Your Terraform deployment is already running
Step 1: Gather Required Information
Before starting, collect these details from your environment:
# Your subscription ID
SUBSCRIPTION_ID="your-subscription-id"
# Your existing Log Analytics workspace details
WORKSPACE_RESOURCE_GROUP="your-log-analytics-rg"
WORKSPACE_NAME="your-workspace-name"
WORKSPACE_LOCATION="your-workspace-location" # e.g., "East US 2"
# Your Enforza VM details (from your Terraform deployment)
VM_RESOURCE_GROUP="your-terraform-rg" # e.g., "enforza-simple-single-az-gateway"
VM_NAME="your-vm-name" # e.g., "enforza-vm"
Step 2: Register Required Azure Resource Providers
Ensure the necessary Azure resource providers are registered:
# Register required providers
az provider register --namespace Microsoft.Insights --wait
az provider register --namespace Microsoft.OperationalInsights --wait
az provider register --namespace Microsoft.SecurityInsights --wait
echo "✅ Azure resource providers registered"
Step 3: Install Azure Monitor Agent on Your VM
The Azure Monitor Agent is required to collect logs from your Enforza firewall:
# Install Azure Monitor Agent extension
az vm extension set \
--resource-group "$VM_RESOURCE_GROUP" \
--vm-name "$VM_NAME" \
--name AzureMonitorLinuxAgent \
--publisher Microsoft.Azure.Monitor \
--enable-auto-upgrade true
echo "✅ Azure Monitor Agent installed"
Step 4: Configure VM Managed Identity
Enable system-assigned managed identity and grant necessary permissions:
# Enable system-assigned managed identity
az vm identity assign \
--resource-group "$VM_RESOURCE_GROUP" \
--name "$VM_NAME"
# Get the VM's principal ID
VM_PRINCIPAL_ID=$(az vm identity show \
--resource-group "$VM_RESOURCE_GROUP" \
--name "$VM_NAME" \
--query principalId -o tsv)
# Grant "Monitoring Metrics Publisher" role to the VM
az role assignment create \
--assignee "$VM_PRINCIPAL_ID" \
--role "Monitoring Metrics Publisher" \
--scope "/subscriptions/$SUBSCRIPTION_ID"
echo "✅ Managed identity configured with required permissions"
Step 5: Enable Microsoft Sentinel (Optional)
If you want to use advanced security analytics, enable Microsoft Sentinel on your workspace:
# Build workspace resource ID
WORKSPACE_ID="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$WORKSPACE_RESOURCE_GROUP/providers/Microsoft.OperationalInsights/workspaces/$WORKSPACE_NAME"
# Check if Sentinel is already enabled
SENTINEL_STATUS=$(az rest \
--method GET \
--url "https://management.azure.com$WORKSPACE_ID/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2023-02-01" \
--query "properties" -o tsv 2>/dev/null || echo "not_found")
if [ "$SENTINEL_STATUS" = "not_found" ]; then
echo "Enabling Microsoft Sentinel..."
az rest \
--method PUT \
--url "https://management.azure.com$WORKSPACE_ID/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2023-02-01" \
--body '{}'
echo "✅ Microsoft Sentinel enabled"
else
echo "✅ Microsoft Sentinel already enabled"
fi
Step 6: Create Custom Log Table
Create a custom table to store Enforza firewall logs:
# Create custom log table for Enforza logs
TABLE_NAME="EnforzaLogs_CL"
# Check if table exists
TABLE_EXISTS=$(az monitor log-analytics workspace table show \
--resource-group "$WORKSPACE_RESOURCE_GROUP" \
--workspace-name "$WORKSPACE_NAME" \
--name "$TABLE_NAME" \
--query "name" -o tsv 2>/dev/null || echo "")
if [ -z "$TABLE_EXISTS" ]; then
echo "Creating custom log table: $TABLE_NAME"
az monitor log-analytics workspace table create \
--resource-group "$WORKSPACE_RESOURCE_GROUP" \
--workspace-name "$WORKSPACE_NAME" \
--name "$TABLE_NAME" \
--plan Analytics \
--columns TimeGenerated=datetime RawData=string
echo "✅ Custom log table created"
else
echo "✅ Custom log table already exists"
fi
Step 7: Create Data Collection Endpoint (DCE)
Set up a Data Collection Endpoint to receive log data:
# Create Data Collection Endpoint
DCE_NAME="enforza-dce"
DCE_ID="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$WORKSPACE_RESOURCE_GROUP/providers/Microsoft.Insights/dataCollectionEndpoints/$DCE_NAME"
# Check if DCE exists
DCE_EXISTS=$(az resource show --ids "$DCE_ID" --query "name" -o tsv 2>/dev/null || echo "")
if [ -z "$DCE_EXISTS" ]; then
echo "Creating Data Collection Endpoint: $DCE_NAME"
az rest --method PUT \
--url "https://management.azure.com$DCE_ID?api-version=2022-06-01" \
--body "{
\"location\": \"$WORKSPACE_LOCATION\",
\"properties\": {
\"networkAcls\": { \"publicNetworkAccess\": \"Enabled\" }
}
}"
echo "✅ Data Collection Endpoint created"
else
echo "✅ Data Collection Endpoint already exists"
fi
Step 8: Create Data Collection Rule (DCR)
Configure a Data Collection Rule to specify how logs are collected and processed:
# Create Data Collection Rule
DCR_NAME="enforza-ulog-dcr"
DCR_ID="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$WORKSPACE_RESOURCE_GROUP/providers/Microsoft.Insights/dataCollectionRules/$DCR_NAME"
# Create DCR configuration
cat > /tmp/dcr-config.json <<EOF
{
"location": "$WORKSPACE_LOCATION",
"properties": {
"dataCollectionEndpointId": "$DCE_ID",
"streamDeclarations": {
"Custom-EnforzaLogs_CL": {
"columns": [
{ "name": "TimeGenerated", "type": "datetime" },
{ "name": "RawData", "type": "string" }
]
}
},
"dataSources": {
"logFiles": [
{
"name": "enforza-ulog-files",
"format": "text",
"streams": ["Custom-EnforzaLogs_CL"],
"filePatterns": ["/var/log/ulog/enforza*.log"]
}
]
},
"destinations": {
"logAnalytics": [
{
"name": "destination-log-analytics",
"workspaceResourceId": "$WORKSPACE_ID"
}
]
},
"dataFlows": [
{
"streams": ["Custom-EnforzaLogs_CL"],
"destinations": ["destination-log-analytics"]
}
]
}
}
EOF
echo "Creating Data Collection Rule: $DCR_NAME"
az rest --method PUT \
--url "https://management.azure.com$DCR_ID?api-version=2022-06-01" \
--body @/tmp/dcr-config.json
echo "✅ Data Collection Rule created"
Step 9: Associate DCR with VM
Link the Data Collection Rule to your Enforza VM:
# Associate DCR with VM
ASSOCIATION_NAME="enforza-dcr-association"
ASSOCIATION_URL="https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$VM_RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/$VM_NAME/providers/Microsoft.Insights/dataCollectionRuleAssociations/$ASSOCIATION_NAME?api-version=2022-06-01"
az rest --method PUT --url "$ASSOCIATION_URL" --body "{
\"properties\": {
\"dataCollectionRuleId\": \"$DCR_ID\"
}
}"
echo "✅ VM associated with Data Collection Rule"
# Cleanup temporary file
rm -f /tmp/dcr-config.json
Step 10: Restart Azure Monitor Agent
If you just enabled the managed identity, restart the agent to apply changes:
# Get VM's public IP for SSH access
VM_IP=$(az vm list-ip-addresses \
--resource-group "$VM_RESOURCE_GROUP" \
--name "$VM_NAME" \
--query "[0].virtualMachine.network.publicIpAddresses[0].ipAddress" -o tsv)
# SSH into the VM and restart the agent
ssh azureuser@$VM_IP 'sudo systemctl restart azuremonitoragent'
echo "✅ Azure Monitor Agent restarted"
Verification & Testing
1. Check Log Collection Status
Wait 5-10 minutes for logs to start flowing, then verify data collection:
# Query your custom log table
az monitor log-analytics query \
--workspace "$WORKSPACE_ID" \
--analytics-query "EnforzaLogs_CL | limit 10" \
--output table
2. Test Log Ingestion
Generate a test log entry:
# SSH into your VM and create a test log
ssh azureuser@$VM_IP 'echo "Test log entry from $(date)" | sudo tee -a /var/log/ulog/enforza-fw.log'
3. Access Your Setup
- Log Analytics Workspace:
https://portal.azure.com/#@/resource$WORKSPACE_ID
- Microsoft Sentinel (if enabled):
https://portal.azure.com/#view/Microsoft_Azure_Security_Insights/MainMenuBlade/~/0/id$WORKSPACE_ID
4. Sample KQL Queries
Use these KQL queries to analyze your Enforza logs:
// View recent logs
EnforzaLogs_CL
| limit 100
| order by TimeGenerated desc
// Search for specific patterns
EnforzaLogs_CL
| where RawData contains "DROP"
| limit 50
// Count logs by hour
EnforzaLogs_CL
| summarize count() by bin(TimeGenerated, 1h)
| render timechart
Troubleshooting
Common Issues
-
No logs appearing:
- Verify the Azure Monitor Agent is running:
systemctl status azuremonitoragent
- Check that log files exist:
ls -la /var/log/ulog/
- Ensure proper file permissions on log directory
- Verify the Azure Monitor Agent is running:
-
Permission errors:
- Verify managed identity is enabled on the VM
- Check role assignments for the VM's principal ID
- Restart the Azure Monitor Agent after identity changes
-
Data Collection Rule issues:
- Verify the DCR is properly associated with the VM
- Check that file patterns match your actual log locations
- Ensure the Data Collection Endpoint is accessible
Log File Requirements
Your Enforza firewall should write logs to /var/log/ulog/enforza*.log
files. Typical log files include:
/var/log/ulog/enforza-fw.log
- Main firewall events/var/log/ulog/enforza-sf.log
- FQDN & Suricata events/var/log/ulog/enforza-ct.log
- Conntrackd events
Ensure these files are readable by the Azure Monitor Agent (typically running as the azuremonitor
user).
Summary
After completing this setup, you will have:
✅ Azure Monitor Agent collecting logs from /var/log/ulog/enforza*.log
✅ Custom log table EnforzaLogs_CL
in your Log Analytics workspace
✅ Data Collection Rule processing and routing log data
✅ Microsoft Sentinel enabled for advanced security analytics (optional)
✅ VM configured with proper managed identity and permissions
Your Enforza firewall logs will now be available for querying, alerting, and analysis in Azure Monitor and Sentinel.