Syslog-ng to Azure Event Hub

Question

I'm looking to send specific logs from my syslog-ng cluster to Azure event hub so it can utilize ADX instead of Log Analytics workspace.

Per the documentation found on syslog-ng's website (here), the config looks pretty straight forward but I can't seem to get it to work. Below is a sanitized version of my config right now.

destination d_AzureEventHub {
    http(
            url("https://XXXXX.servicebus.windows.net/YYYYY")
            #tls( ca-dir("/etc/syslog-ng/ca.d") )
            tls( ca-file("/etc/ssl/certs/ca-bundle.crt") )
            method("POST")
            headers(
                    "Authorization: SharedAccessSignature sr=XXXXX.servicebus.windows.net%YYYYY%2f&sig=ZZZZZZZZZZZZZZZZZ=RootManageSharedAccessKey",
                    "Content-Type: application/atom+xml;type=entry;charset=utf-8"
            )
    );

With this setup, I'm getting the following syslog-ng error.

syslog-ng[7253]: Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.;

Further in the log, it shows it as a 401 error.

I've tried removing the "SharedAccessSignature" portion and still the same error. Also, if I use the ca-dir I have listed, I get this error. Note that the directory has a .crt and .pem file of the DigiCert roots I downloaded.

error='Peer certificate cannot be authenticated with given CA certificates'

My confusion is around the Authorization portion. I've tried using the basic shared access policy key as well as creating a SAS token from the key. Neither seem to give me a successful connection.

I'm also not sure what format the authorization should truly be in. Any help would be appreciated.

Your SAS token looks wrong - see the example at learn.microsoft.com/en-us/rest/api/eventhub/generate-sas-token — symcbean, Oct 12 at 10:09
I used the PS command on that page to generate the token. I'll try generating it again. — Eric, Oct 12 at 13:14
The TLS related issue and the error indicated by the server might be separated. Here's an article on how to set up TLS authentication with a trusted CA certificate axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/… — bazsi77, Oct 12 at 22:06

Eric · Accepted Answer · 2023-10-13 14:42:58Z

It ended up being a combination issue of the TLS file + the formatting of the SAS token + the URL was incorrect.

Using the basic /etc/ssl/certs/ca-bundle.crt file ended up being sufficient for a standalone system. From the SAS token formatting, this page was very helpful. It also has curl commands on how to test it outside of syslog-ng to ensure it's a token vs. syslog-ng issue.

The biggest item though was the URL. Compared to the syslog-ng documentation, I had to use this to get things to work.

https://XXXXX.servicebus.windows.net/YYYYY/messages?timeout=60\&api-version=2014-01

Stack Exchange Network

Syslog-ng to Azure Event Hub

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
azure
syslog-ng
.

Hot Network Questions

Syslog-ng to Azure Event Hub

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged azuresyslog-ng.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
azure
syslog-ng
.