Skip to main content

Microsoft Azure Graph API

You can ship logs available from the Microsoft Graph APIs with Logzio-api-fetcher. Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. This integration allows you to collect data from Microsoft Graph API and send it to your Logz.io account.

Logzio-api-fetcher supports many API endpoints, including but not limited to:

  • Azure Active Directory audit logs
  • Azure Active Directory sign-in logs

There are many other APIs available through Microsoft Graph.

Register a new app in Azure Active Directory

In the Azure portal, go to App registration and select New registration from the top menu.

Name your app and click Register.

Create a client secret

Choose Certificates & secrets from the side menu, and click on New client secret.

Add a Description. We recommend something specific, such as "secret for Logzio-MSGraph integration".

In the Expires list, choose Never.

Click Add.

Copy the value of the generated secret to your text editor. You'll need this later.

note

You won't be able to retrieve the secret's value after you leave this page.

Set the app's permissions

Choose API permissions from the side menu, and click Add a permission.

Select Microsoft Graph > Application permissions.

Select the relevant permissions for your API, for AAD audit logs and AAD sign-ins enable these items:

  • AuditLog.Read.All
  • Directory.Read.All

Click Add permissions.

Click Grant admin consent for Default Directory, and then click Yes to confirm.

note

Only Azure administrators can grant consent for Default Directory. If the Grant admin consent button is disabled, ask your Azure admin to update the setting for you.

Pull the Docker image of the Logz.io API fetcher

docker pull logzio/logzio-api-fetcher

Create a configuration file

In the directory created in the previous step, create a file config.yaml using the example configuration below:

logzio:
url: https://<<LISTENER-HOST>>:8071
token: <<LOG-SHIPPING-TOKEN>>

apis:
- name: azure graph example
type: azure_graph
azure_ad_tenant_id: <<AZURE_AD_TENANT_ID>>
azure_ad_client_id: <<AZURE_AD_CLIENT_ID>>
azure_ad_secret_value: <<AZURE_AD_SECRET_VALUE>>
data_request:
url: https://graph.microsoft.com/v1.0/auditLogs/signIns
additional_fields:
type: azure_graph
field_to_add_to_my_logs: 123
scrape_interval: 1
days_back_fetch: 30
note

You can customize the endpoints to collect data by adding or modifying the configurations under the apis section. Refer to the relevant API documentation for more details.

Parameter NameDescriptionRequired/OptionalDefault
nameName of the API (custom name)Optionalazure api
azure_ad_tenant_idThe Azure AD Tenant idRequired-
azure_ad_client_idThe Azure AD Client idRequired-
azure_ad_secret_valueThe Azure AD Secret valueRequired-
date_filter_keyThe name of key to use for the date filter in the request URL paramsOptionalcreatedDateTime
data_request.urlThe request URLRequired-
additional_fieldsAdditional custom fields to add to the logs before sending to logzioOptional-
days_back_fetchThe amount of days to fetch back in the first requestOptional1 (day)
scrape_intervalTime interval to wait between runs (unit: minutes)Optional1 (minute)

Run the Docker container

In the path where you saved your config.yaml, run:

docker run --name logzio-api-fetcher \
-v "$(pwd)":/app/src/shared \
logzio/logzio-api-fetcher
note

To run in Debug mode add --level flag to the command:

docker run --name logzio-api-fetcher \
-v "$(pwd)":/app/src/shared \
logzio/logzio-api-fetcher \
--level DEBUG

Available Options: INFO, WARN, ERROR, DEBUG

Stop the Docker container

When you stop the container, the code will run until the iteration is completed. To make sure it will finish the iteration on time, please give it a grace period of 30 seconds when you run the docker stop command.

docker stop -t 30 logzio-api-fetcher

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of your custom field type value or type api_fetcher to see the incoming Microsoft Graph logs.

If you still don't see your logs, see log shipping troubleshooting.

You can see a full list of the possible configuration values in the logzio-api-fetcher github repository.