USM Anywhere automatically creates log collection jobs for Azure Monitor and Security logs. It also creates jobs for IIS, SQL Server, and Windows if it detects storage locations for these log types. When you complete the Log Collection step for the Azure sensor, you can enable these default jobs. You can review these jobs and their history in the Scheduler, but you cannot modify the parameters of these default jobs.
Note: What an Azure log job collects depends on whether you granted contributor permissions to one of your resources or to your entire Azure subscription for the USM Anywhere application. Depending on the Azure Credentials configured for the deployed Azure sensor, the sensor could have access to individual resource groups or the whole subscription. For more details, see Creating an Application and Obtaining Azure Credentials.
To supplement the automatic Azure log collection in USM Anywhere and to set up log collection for Azure Web Apps, add new Azure log collection jobs.
To schedule a new job to collect and process Azure logs
- Go to Settings > Scheduler.
In the left navigation list, click Log Collection.
Note: You can use the Sensor filter at the top of the list to review the available log collection jobs on your
AWS sensor Google Cloud Platform (GCP) Sensor.
Click Create Log Collection Job.
Note: If you recently deployed a new USM Anywhere Sensor, it can take 10 to 20 minutes for USM Anywhere to discover the various log sources. After it discovers the logs, you must manually enable the
AWS GCPlog collection jobs you want before the system collects the log data.
Enter the name and description for the job.
The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.
- In the Select App option, select Azure.
In the App Action option, select the action for Azure log type that you want to schedule for collection.
To review details about the Azure log types that USM Anywhere can collect, see Azure Log Discovery and Collection in USM Anywhere.
Depending on the selected app action (log type), specify the Resource Group, Storage Account, and Container for the logs.
You can obtain this information by logging into the Azure console and reviewing the configuration for your diagnostic/storage resources.
Note: For Azure IIS Logs, Azure Web Apps Logs, and Azure Windows Logs, you must specify a BLOB container used for the log storage. For the Azure SQL Server log type, you must specify the table container used for the log storage.
USM Anywhere collects SQL Server logs stored as tables only. It does not collect SQL Server logs stored as Binary Large OBjects (BLOB)s.
Microsoft Azure has recently deprecated table storage and recommends that users select the BLOB storage option. However, you must use the Azure Tables storage option for your SQL Server logs to make them available for collection by the USM Anywhere Sensor.
In the Schedule section, specify when USM Anywhere runs the job:
- Select the increment as Hour, Day, Week, Month, or Year.
Set the interval options for the increment. The selected increment determines the available options.
For example, on a weekly increment you can select the days of the week to run the job.
Or, on a monthly increment you can specify a date or a day of the week that occurs within the month.
Set the Start time.
This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (default is UTC).
- Click Save.