Sending Skytap Platform logs to Azure Monitor
Customers typically want to consolidate their logging into a single platform, Azure lets you do this in Azure Monitor (or Azure Log Analytics Workspace) by using the Custom Logs option. However, you do still need a way of getting that log into Monitor and we can do that using a combination of Skytap Audit Webhooks and an Azure Logic App.
Logic App Designer
To do this we need a three-step Logic App, as we need to receive the Skytap audit webhooks, grab the payload and then send it to an Azure Log Analytics Workspace.
Create a Custom Log in Azure Log Analytics Workspace
Add a discrete Custom Log to receive the logs from Skytap.
Create the Custom Log
Use the following Python script to create the custom log for Skytap.
Create a Logic App
Create a Logic App and use the HTTP Request trigger to receive data, you can seed it with appropriate variables and expected payload by using the JSON example here.
Once done you need to create an Action on Azure Log Analytics Data Collector using the Send Data action. As part of that, you’ll need to link this App to the Workspace, to do that head over to Log Analytics Workspace and select Advanced from the Sidebar.
You need to note the Workspace ID and Primary or Secondary Key. Enter those in the connection information below, along with an arbitrary Connection Name.
Now for each Payload that you receive into the Logic App, you need to send it to the Custom Log, which you can find in your Log Analytics Workspace. Do that by sending the Current Item as the JSON Request Body and find your Custom Log from the Workspace and enter it in the Custom Log field.
Once that’s configured you’ll need to end your Logic App with a Terminate action set to Succeeded to close out the program.
Setup the Webhooks in Skytap
Once you’ve created the webhook and have the Endpoint URL you need to capture the certificate so that Skytap can authenticate it and send the data. Run the following command from a terminal
openssl s_client -showcerts -connect {webhookserver}:{port} </dev/null 2>/dev/null|openssl x509 -outform PEMNow copy that certificate output to your Skytap settings here, along with the Endpoint URL.
Check for Logs
You should now start seeing logs appear in the Workspace
Logic App Code
To speed up your deployment you can use the following Logic App code to deploy this solution.
Conclusion
After setting up all of this up your Skytap audit events should start to appear in the Azure Log Analytics workspace in a couple of minutes. With this data consolidated you can start to investigate trends, identify anomalies or stream it on to a separate SIEM tool.
You can see examples of logs generated in our field sandbox account (I’ve redacted the more sensitive elements).
You can also visualise this, and in this example, I’ve separated out the types of events (Run Environment, Power Options, Login, etc…) and stacked it based on Users.
Contact us here for more information or to get set up on your own Skytap cloud account
