Log Forwarder

'Log Forwarder' option allows you to forward Office 365 audit logs to an external SIEM product or to a Syslog Server.

Forwarding Logs to Syslog Server:

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP receiver.

Syslog daemon runs by default in UDP port 514.
The default settings can be modified in its Syslog server's configurationfile/etc/syslog.conf.
Remember to restart Syslog daemon for the changes to take effect.

Go to the Settings tab.
Select Admin → Administration → Log Forwarder in the left pane.
Select Enable Log Forwarding checkbox.
Select Syslog tab.
Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which O365 Manager Plus is installed.
Select the Protocol to be used.
Enter the Port number.
Select the Syslog Type as required by your SIEM parser, from the drop-down.

Login to your Splunk admin account.
Select Settings from the top right corner of the Home page.
Select Data Inputs under Data.
Select HTTP Event Collector under Local inputs.
Select New Token.
Enter a Name for the token. (Preferably O365 Manager Plus).
Customize the rest of the fields if required.
Click Next.
Customize the Input Settings if required.
Click Review.
Check your settings and click Submit.
Copy and save the value in Token Value field. You will need it to configure O365 Manager Plus.
Go to Settings → Data Inputs → HTTP Event Collector
Select Global Settings and enable All Tokens.
You can customize the HTTP Port Number and rest of the fields if required.
Click Save.

Login to O365 Manager Plus.
Go to theSettings tab.
Select Admin → Administration → Log Forwarder in the left pane.
Select Enable Log Forwarding checkbox.
Select Splunk tab.
Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
Enter the Token Value you had copied in step (12) of Splunk configuration in Authentication Token field.
Click Save.