Organizations that store and manage event data in an Azure Storage account can configure their Cato account to automatically and continuously upload events to it.
This integration continuously pushes events directly from the Cato Cloud to the storage account, unlike the eventsFeed API, which requires pulling data from Cato and can be affected by rate limiting.
The Cato Cloud uploads data to the storage account every 60 seconds, or whenever more than 10 MB of data is accumulated. Data is transferred securely over HTTPS.
Events are uploaded in a compressed .GZ format. Some clients (for example, certain browsers) may automatically decompress these files without removing the .GZ extension. If this occurs, changing the file extension to LOG or TXT will correctly align the file's format with its extension.
Sample company is using the IPS Suspicious Activity Monitoring feature which generates a lot of security events. They decide to create an Azure Storage account to store all the event data, which they can then integrate with their SIEM solution. Sample company enables Events Integration and adds the Azure Storage account as an integration to their Cato account so that all IPS events are automatically uploaded to the Azure Storage.
- Please review the prerequisites for all Cato event integrations in Getting Started with Event Integrations
Create a new storage account and container for the Cato event data, we recommend that you don't use an existing storage account for the Event Integration. You can use an Azure connection string from an access key or from a Shared access signature (SAS).
For customers that are using Azure access keys to authenticate the storage account to Cato, copy the connection string. You will paste the access keys connection string in the Cato Management Application when you configure the Azure integration.
To create a storage account that uses access keys:
- Create a new storage account with the appropriate settings.
-
In the Instance details, select Standard performance.
- Click Review and then click Create.
-
-
Create a new container for the event data (Data storage > Containers).
You will enter the container Name in the Cato Management Application when you create the integration for the events (below).
- In the left-hand navigation pane, go to the Security + networking section and select Access keys.
-
Copy the access keys connection string for the storage account.
- Continue with Adding Azure Account Storage for Events (below).
Azure SAS lets you restrict permissions for the storage container, such as allowed IP addresses, and an expiration date for the connection string.
The token for the SAS connection string includes an expiration date, which is shown on the Event Integration page. After the expiration date, the token is no longer valid, and Cato can't push events to the storage container. To maintain uninterrupted uploading of events, make sure to generate a new connection string and apply it to the integration before the SAS expiration date.
To configure a storage account in Azure to receive Cato event data:
- Create a new storage account with the appropriate settings.
-
In the Instance details, select Standard performance.
- Click Review and then click Create.
-
-
Create a new container for the event data (Data storage > Containers).
You will enter the container Name in the Cato Management Application when you create the integration for the events (below).
- In the left-hand navigation pane, go to the Security + networking section and select Shared access signature.
-
Configure the SAS with the following access permissions:
- Allowed services - Blob, File
- Allowed resource types - Container, Object
- Allowed permissions - Read, Write, List
- Click Generate SAS and connection string.
-
Copy the Connection string for the storage account. You will paste this string when you create the integration for the events (below).
Create a new integration for the Azure Storage account in the Events Integration tab, and paste the connection string into the integration. This string gives Cato permission to upload event data to the storage account. You can’t edit the string after creating the integration; instead you can Reset the field, and then paste the connection string.
After you define and enable the Azure Storage integration, it takes a few minutes for Cato to start uploading events to the storage account.
You can filter the events that are uploaded to the storage account by event type or subtype. For example, you can upload only IPS events for your account. By default, no filter is applied, and all events are uploaded to the storage account.
To add an Azure Storage integration to upload events for your account:
- From the navigation menu, select Resources > Event Integrations.
- Select Enable integration with Cato events.
- Click New. The New Integration panel opens.
- In Integration, select Azure Storage Account and enter the Name for the integration.
-
Enter these Connection Details for the integration based on the settings in Azure:
- Connection String - Paste the connection string that you copied from the storage account
- Name - Identical name of the container in the storage account
- (Optional) Folder - Identical name for the folder path within the container (if necessary)
-
(Optional) Define the filter settings for events that are uploaded to the storage account.
When you define multiple filters, there is an AND relationship, and the events that match all filters are uploaded.
-
Click Apply. The Azure Storage account is now integrated with your account.
Note: You can define up to a total of three Event Integrations for your account.
2 comments
what's the point of making non-real gzip format?
all logs are coming to azure blob with gz extension, but it's not a real archive, and for example in azure data explorer you will get
Partial query failure: Unspecified error (message: 'invalid gzip header: ', details: 'StgError { kind: Io(Custom { kind: InvalidInput, error: "invalid gzip header" }), source: None }')
or error in logstash - “not in gzip format”.
now we need somehow rename all logs files extension from .log.gz → .log
CMA screen shot should be updated to reflect current layout for Event Integrations
Please sign in to leave a comment.