Forum Discussion
Issue with log collection from Microsoft XDR to Azure storage
Hello,
We are currently facing an issue with collecting logs from Microsoft XDR and forwarding them to Azure Storage. We are aware of below two methods for forwarding logs from Microsoft XDR to Azure:
Forward events to Azure Storage
Forward events to Azure Event Hub
Issue Details:
Method 1: When using the "Forward events to Azure Storage" approach, we end up with different containers being created for each event, but we would prefer to have all the events stored in a single container.
Method 2: When using the "Forward events to Azure Event Hub" approach, we are able to store all the events in a single container, but in this case, the logs are stored in Avro format instead of JSON, which is not our desired format.
Our goal is to store all event logs in one single container in JSON format.
Has anyone faced this issue or found a way to achieve this setup? Any guidance or solution would be greatly appreciated.
Thank you!
Hi, using Forward events to Azure Storage creates multiple containers, while Forward events to Azure Event Hub results in a single container but stores the logs in Avro format. One potential solution is to implement an Azure Function that converts the logs from Avro to JSON in real time, ensuring a single container with the desired format.
Have you considered this approach?
