Test Log Forwarder Installation

Follow the steps to validate Log Forwarder installation. Successful Log Forwarder installation will aggregate logs, connect to ESA and send audit log events.

Testing in this section validates the connectivity between Log Forwarder and ESA. The sample policy included with the initial installation and test event below are not based on your ESA policy. Any logs forwarded to ESA which are not signed with a policy generated by your ESA will not be added to the audit store.

Install Log Forwarder and configure according to previous sections. Log Forwarder configuration MinLogLevel must be at least info level.

1. In the following command, replace ‘forwarder-function-name’ with your function name

2. In the following command, replace ‘forwarder-function-key’ with your function key

3. Run the command in PowerShell:

   
   $forwarderFunctionName='forwarder-function-name'
   $forwarderFunctionKey='forwarder-function-key'
   
   Invoke-WebRequest -UseBasicParsing -Uri "https://$forwarderFunctionName.azurewebsites.net/admin/functions/auditlogforwarder" `
   -Method POST `
   -Headers @{
     "x-functions-key" = $forwarderFunctionKey
   } `
   -ContentType "application/json" `
   -Body "{`"input`":`"{\`"additional_info\`":{\`"description\`":\`"Data unprotect operation was successful.\`",\`"request_id\`":\`"f0ffbbf8-ab5b-42b7-90f4-51db7443af77\`"},\`"cnt\`": 1,\`"correlationid\`": \`"clfwrqgme0021nj329mijk52w\`",\`"logtype\`": \`"Protection\`",\`"level\`": \`"SUCCESS\`",\`"origin\`": {  \`"hostname\`": \`"169.254.197.189\`",  \`"ip\`": \`"169.254.197.189\`", \`"time_utc\`": 1722941687},\`"protection\`": {\`"dataelement\`": \`"alpha\`", \`"operation\`": \`"Unprotect\`",\`"audit_code\`": 8,\`"policy_user\`": \`"test_user\`",\`"datastore\`": \`"SAMPLE_POLICY\`"},\`"process\`": {  \`"name\`": \`"N/A\`",  \`"id\`": \`"15\`",\`"thread_id\`": \`"2243954624\`",\`"user\`": \`"sbx_user1051\`", \`"platform\`": \`"Linux_x32\`"},\`"client\`": {\`"username\`":\`"sbx_user1051\`",\`"ip\`":\`"169.254.197.189\`"},\`"protector\`": {\`"family\`": \`"IAP Lambda\`",\`"version\`": \`"3.1.0\`",\`"vendor\`": \`"Cloud Protect\`",\`"pcc_version\`": \`"3.5.0.1\`", \`"core_version\`": \`"2.0.1\`"},\`"signature\`": { \`"key_id\`":\`"5f143892-bbe4-4794-b1f4-ed28ca2a077e\`", \`"checksum\`": \`"90BC9BF39354869BD4BC5381820D201797DF4AF53B5A7F5F3AE01EC607C41A6E\`"}}`"}"
   

   Note

   For Cloud API on Azure Government Cloud use the following URL: https://$forwarderFunctionName.azurewebsites.us/admin/functions/auditlogforwarder

   Note

   The Body content is a sample audit log. See Audit Logging for detail on audit log contents.

4. Run following query to see your function logs, allow for a few minutes for Azure to deliver the logs

   
   traces
   | project timestamp, message
   | where timestamp > ago(5m)
   

5. Test is successful if the logs contain the following entry:

   opensearch.0: All logs successfully send to destination
   

   If the log entry is not present, please consult the Troubleshooting section for common errors and solutions.