Skip to main content

Azure Security Center

You can ship logs available from Azure Security Center via the Microsoft Graph APIs with Logzio-MSGraph. Logzio-MSGraph is a self-hosted application.

Logzio-MSGraph currently supports only the following Azure Security Center APIs:

  • Alerts

There are many other APIs available through Microsoft Graph. If you don't see your API in the list, please open an issue at GitHub to request it.

To integrate Microsoft Graph and

Register a new app in Azure Active Directory

In the Azure portal, go to App registration and select New registration from the top menu.

Name your app and click Register.

Create a client secret

Choose Certificates & secrets from the side menu, and click on New client secret.

Add a Description. We recommend something specific, such as "secret for Logzio-MSGraph integration".

In the Expires list, choose Never.

Click Add.

Copy the value of the generated secret to your text editor. You'll need this later.


You won't be able to retrieve the secret's value after you leave this page.

Set the app's permissions

Choose API permissions from the side menu, and click Add a permission.

Select Microsoft Graph > Application permissions.

Select this item:

  • SecurityEvents.Read.All

Click Add permissions.

Click Grant admin consent for Default Directory, and then click Yes to confirm.


Only Azure administrators can grant consent for Default Directory. If the Grant admin consent button is disabled, ask your Azure admin to update the setting for you.

Create a configuration file

Create a configuration yaml file (logzio-msgraph-config.yaml) for Logzio-MSGraph.

For a complete list of options, see the configuration parameters below.👇

accountToken: "<<LOG-SHIPPING-TOKEN>>"
listenerUrl: "<<LISTENER-HOST>>"

pullIntervalSeconds: 300
tenantId: "<<AD_TENANT_ID>>"
clientId: "<<APP_CLIENT_ID>>"
clientSecret: "<<APP_CLIENT_SECRET>>"

- <<supportedApi1>>

logLevel: INFO

<<KEY>>: "<<VALUE>>"


senderParams.accountTokenYour account token. Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.Required
senderParams.listenerUrlListener URL. Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS =
senderParams.fromDiskIf true, logs are stored on disk until they're shipped. (See If from-disk=true below). If false, logs persist in memory until they're shipped. (See If from-disk=false below.Optional. Set to true by default.
senderParams.senderDrainIntervalsHow often the sender should drain the queue, in seconds.Optional, set to 30 by default.
azureADClient.tenantIdAzure Active Directory tenant ID. You can find this in the Overview section of the app you registered in step 1.Required
azureADClient.clientIdApplication client ID. You can find this in the Overview section of the app you registered in step 1.Required
azureADClient.clientSecretValue of the Application Client Secret you created in step 2.Required
azureADClient.pullIntervalSecondsTime interval, in seconds, to pull the logs with the Graph API.300
logLevelLog level for Logizo-MSGraph to omit. Can be one of: OFF, ERROR, WARN, INFO, DEBUG, TRACE, ALL.INFO

If fromDisk=true

senderParams.fileSystemFullPercentThresholdThreshold percentage of disk space at which to stop queueing. If this threshold is reached, all new logs are dropped until used space drops below the threshold. Set to -1 to ignore threshold.98
senderParams.gcPersistedQueueFilesIntervalSecondsTime interval, in seconds, to clean sent logs from the disk.30
senderParams.diskSpaceCheckIntervalTime interval, in milliseconds, to check for disk space.1000

If fromDisk=false

senderParams.inMemoryQueueCapacityInBytesThe amount of memory, in bytes, Logzio-MSGraph can use for the memory queue. Set to -1 for unlimited bytes.1024 * 1024 * 100
senderParams.logsCountLimitThe number of logs in the memory queue before dropping new logs. Set to -1 to configure the sender to not limit the queue by logs count.-1

Download and run Logzio-MSGraph

You can launch Logzio-MSGraph in a Docker container or as a standalone Java app.

In a Docker container:

docker run -d -v $(pwd)/logzio-msgraph-config.yaml:/config.yaml logzio/logzio-msgraph

Or to run as a standalone Java app, download the latest jar from the release page. Then run:

java -jar logzio-msgraph.jar logzio-msgraph-config.yaml

Logs collected by this integration will have the type Microsoft-Graph

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see log shipping troubleshooting.