Blog Post

Microsoft Sentinel Blog
4 MIN READ

Integrating Fluent Bit with Microsoft Sentinel

JoaoFRibeiro's avatar
JoaoFRibeiro
Icon for Microsoft rankMicrosoft
Feb 14, 2025

If you’re using Fluent bit within your organization already for log processing, then integrating with Microsoft Sentinel is also a possibility as Fluent Bit has the output plugin for Azure Logs Ingestion API taking leverage from the Log Ingestion API which supports not only ingestion for custom tables but also for built-in tables.

This guide will walk you through the steps required to integrate Fluent Bit with Microsoft Sentinel. Beware that in this article, we assume you already have a Sentinel workspace, a Data Collection Endpoint and a Data Collection Rule, an Entra ID application and finally a Fluent Bit installation. 

As mentioned above, log ingestion API supports ingestion both in custom tables as built-in tables, like CommonSecurityLog, Syslog, WindowsEvent and more.  In case you need to check which tables are supported please the following article: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview#supported-tables

Prerequisites: 

Before beginning the integration process, ensure you have the following:

High level architecture:

 

Step 1: Setting up Fluent Big configuration file

Before we step-in into the configuration, Fluent Bit has innumerous output plugins and one of those is through Log Analytics Ingestion API both to supported Sentinel tables but also for custom tables.

You can check more information about it here in Fluent Bit documentation: https://docs.fluentbit.io/manual/pipeline/outputs/azure_logs_ingestion

Moving forwarder, in order to configure Fluent Bit to send logs into Sentinel log analytics workspace, please take note of the specific input plugin you are using or intend to use to receive logs and how can you use it to output the logs to Sentinel workspace.

For example most of the Fluent Bit plugins allow to set a “tag” key which can be used within the output plugin so that there’s a match in which logs are intended to send. On the other hand, in a scenario where multiple input plugins are used and all are required send logs to Sentinel, then a match of type wildcard "*" could be used as well.  

Another example, in a scenario where there are multiple input plugins of type “HTTP” and you want to just send a specific one into Sentinel, then the “match” field must be set according to the position of the required input plugin, for example “match http.2”, if the input plugin would the 3rd in the list of HTTP inputs. If nothing is specified in the "match" field, then it will assume "http.0" by default. 

For better understanding, here’s an example of how a Fluent Bit config file could look: 

First, the configuration file is located under the path /etc/fluent-bit/fluent-bit.conf

The first part is the definition of all “input plugins”, then follows the “filter plugins” which you can use for example to rename fields from the source to match for what exists within the data collection rule schema and Sentinel table columns and finally there’s the output plugins.

Below is a screenshot of a sample config file:

INPUT plugins section: In this example we’re going to use the “dummy input” to send sample messages to Sentinel. However, in your scenario you could leverage other’s input plugins within the same config file.

After everything is configured in the input section, make sure to complete the “FILTER” section if needed, and then move forward to the output plugin section, screenshot below.

OUTPUT plugins section: In this section, we have output plugins to write on a local file based on two tags “dummy.log” and “logger”, an output plugin that prints the outputs in json format and the output plugin responsible for sending data to Microsoft Sentinel.

As you can see, this one is matching the “tag” for “dummy.log” where we’ve setup the message “{“Message”:”this is a sample message for testing fluent bit integration to Sentinel”, “Activity”:”fluent bit dummy input plugn”, “DeviceVendor”:”Ubuntu”}.  

Make sure you insert the correct parameters in the output plugin, in this scenario the "azure_logs_ingestion" plugin. 

Step 2: Fire Up Fluent Bit

When the file is ready to be tested please execute the following:

  • sudo /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.conf

Fluent bit will start initialization all the plugins it has under the config file.

Then you’re access token should be retrieved if everything is well setup under the output plugin (app registration details, data collection endpoint URL, data collection rule id, sentinel table and important to make sure the name of the output plugin is actually “azure_logs_ingestion”).

In a couple of minutes you should see this data under your Microsoft Sentinel table, either an existing table or a custom table created for the specific log source purpose.

Summary

Integrating Fluent Bit with Microsoft Sentinel provides a powerful solution for log collection and analysis. By following this guide, hope you can set up a seamless integration that enhances your organization's ability to monitor and respond to security threats, just carefully ensure that all fields processed in Fluent Bit are mapped exactly to the fields in Data Collection Rule and Sentinel table within Log Analytics Workspace.

Special thanks to “Bindiya Priyadarshini” that collaborated with me on this blog post.

Cheers!

Updated Feb 12, 2025
Version 1.0
cloud native siem
data collection
deployment and configuration
microsoft sentinel
security operations
siem
  • handong's avatar
    handong
    Copper Contributor
    Feb 27, 2025

    I use fluent-bit to intergrate log to sentinel as same as this blog.

    But when I want to intergrate log for other Azure Cloud such as "AzureGermanCloud"(not global), how can I do that