Integration Settings

'Log Forwarder' option allows you to forward Microsoft 365 audit logs to an external SIEM product or to a Syslog Server.

Forwarding Logs to Syslog Server:

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP receiver.

Configuring a Syslog Server:

  • Syslog daemon runs by default in UDP port 514.
  • The default settings can be modified in its Syslog server's configurationfile/etc/syslog.conf.
  • Remember to restart Syslog daemon for the changes to take effect.

Steps to enable Syslog Logging in Microsoft 365 manager Plus:

  • Go to the Settings tab.
  • Select Admin → Administration → Log Forwarder in the left pane.
  • Select Enable Log Forwarding checkbox.
  • Select Syslog tab.
  • Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which M365 Manager Plus is installed.
  • Select the Protocol to be used.
  • Enter the Port number.
  • Select the Syslog Type as required by your SIEM parser, from the drop-down.
  • If the Sysvlog Type you have chosen is RFC 3164, RFC 5424 or CEF, then you can configure the following Advanced settings:
    • Choose Severity and Facility.
    • Modify the data format in which the log will be converted.
  • Click on the Save button.

Forwarding Microsoft 365 Logs to an external SIEM product : Splunk HTTP

Steps to configure Splunk Http Event Collector:

  • Login to your Splunk admin account.
  • Select Settings from the top right corner of the Home page.
  • Select Data Inputs under Data.
  • Select HTTP Event Collector under Local inputs.
  • Select New Token.
  • Enter a Name for the token. (Preferably M365 Manager Plus).
  • Customize the rest of the fields if required.
  • Click Next.
  • Customize the Input Settings if required.
  • Click Review.
  • Check your settings and click Submit.
  • Copy and save the value in Token Value field. You will need it to configure M365 Manager Plus.
  • Go to Settings → Data Inputs → HTTP Event Collector
  • Select Global Settings and enable All Tokens.
  • You can customize the HTTP Port Number and rest of the fields if required.
  • Click Save.

Steps to configure M365 Manager Plus:

  • Login to M365 Manager Plus.
  • Go to theSettings tab.
  • Select Admin → Administration → Log Forwarder in the left pane.
  • Select Enable Log Forwarding checkbox.
  • Select Splunk tab.
  • Enter the Server Name or IP.
  • Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
  • Enter the Token Value you had copied in step (12) of Splunk configuration in Authentication Token field.
  • Click Save.
Get download link