Log Forwarder

'Log Forwarder' option allows you to forward Microsoft 365 audit logs to an external SIEM product or to a Syslog Server.

Forwarding Logs to Syslog Server:

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP receiver.

Syslog daemon runs by default in UDP port 514.
The default settings can be modified in its Syslog server's configurationfile/etc/syslog.conf.
Remember to restart Syslog daemon for the changes to take effect.

Navigate to Settings → Admin → Administration → Integration Settings in the left pane. Select Log Forwarder.
Select Enable Log Forwarding checkbox.
Select Syslog tab.
Enter the Syslog Server Name or IP. Ensure that this server is reachable from the server in which M365 Security Plus is installed.
Select the Protocol to be used.
Enter the Port number.
Select the Syslog Type as required by your SIEM parser, from the drop-down.

Login to your Splunk admin account.
Select Settings from the top right corner of the Home page.
Select Data Inputs under Data.
Select HTTP Event Collector under Local inputs.
Select New Token.
Enter a Name for the token. (Preferably M365 Security Plus).
Customize the rest of the fields if required.
Click Next.
Customize the Input Settings if required.
Click Review.
Check your settings and click Submit.
Copy and save the value in Token Value field. You will need it to configure M365 Security Plus.
Go to Settings → Data Inputs → HTTP Event Collector
Select Global Settings and enable All Tokens.
You can customize the HTTP Port Number and rest of the fields if required.
Click Save.

Login to M365 Security Plus.
Navigate to Settings → Admin → Administration → Integration Settings in the left pane. Select Log Forwarder.
Select Enable Log Forwarding checkbox.
Select Splunk tab.
Enter the Port number of Splunk HTTP Event Collector and Protocol to be used.
Enter the Token Value you had copied in step (12) of Splunk configuration in Authentication Token field.
Click Save.