PhoneGet Quote
US Sales: +1 888 720 9500
US Support: +1 844 245 1108
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9890


Configure Log Forwarder in O365 Manager Plus

O365 Manager Plus' Log Forwarder' option allows you to forward Office 365 audit logs to an external SIEM product or to a Syslog server.

Forwarding logs to Syslog Server:

Syslog is the event logging service in unix systems.You may also use this setting to forward logs to your SIEM's UDP or TCP receiver.

Configuring a Syslog Server:

  • Syslog daemon runs in UDP port 514 by default.
  • The default settings can be modified in the Syslog server's path configurationfile/etc/syslog.conf.
  • Remember to restart Syslog daemon for the changes to take effect.

Steps to enable Syslog logging in O365 Manager Plus:

  • Go to Admin tab.
  • Select General Settings → Log Forwarder in the left pane.
  • Select the Enable Log Forwarding checkbox.
  • Click the Syslog tab.
  • Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which O365 Manager Plus is installed.
  • Select the Protocol to be used.
  • Enter the Port number.
  • Select the Syslog Type as required by your SIEM parser from the drop-down.

Forwarding Office 365 logs to an external SIEM product: Splunk HTTP

Steps to configure Splunk HTTP event collector:

  • Login to your Splunk admin account.
  • Select Settings from the top right corner of the Home page.
  • Select Data Inputs under Data.
  • Select HTTP Event Collector under Local inputs.
  • Select New Token.
  • Enter a Name for the token. (Preferably O365 Manager Plus).
  • Customize the rest of the fields if required.
  • Click Next.
  • Customize the Input Settings if required.
  • Click Review.
  • Check your settings and click Submit.
  • Copy and save the value in Token Value field. You will need it to configure O365 Manager Plus.
  • Go to Settings → Data Inputs → HTTP Event Collector
  • Select Global Settings and enable All Tokens.
  • You can customize the HTTP Port Number and rest of the fields if required.
  • Click Save.

Steps to configure O365 Manager Plus:

  • Login to O365 Manager Plus.
  • Go to Admin tab.
  • Select General Settings → Log Forwarder in the left pane.
  • Select the Enable Log Forwarding checkbox.
  • Click the Splunk tab.
  • Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
  • Enter the Token Value you had copied in step 12 of Splunk configuration in the Authentication Token field.
  • Click Save.


Request Support

Need further assistance? Fill this form, and we'll contact you rightaway.

A holistic Office 365 administration solution