Getting Azure logs into your SIEM

When running different resources in Microsoft Azure, these resources together with Azure Resource Manager creates logfiles of different events. A resource could be a virtual machine, SQL database or storage account for example. These resources are provided by the resource manager which also creates events based on actions on these resources. An event could be write, delete or update for example.

The Azure Resource Manager

This video explains how the Azure Resource Group model works:

A short explanation of the resource provider can be found at https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/ and if you’re running workloads in classic mode you can find an explanation of the differences at https://azure.microsoft.com/en-us/documentation/articles/resource-manager-deployment-model/.

Enabling logging to storage account

To get the logfiles to your SIEM system you’ll need to enable logging to either a storage account or an event hub. A storage account is easier to manage and will let you use the Azure Log integrator. If you look at your resources, in the pictures I have a virtual machine and a web app, you can enable logging to a storage account.

log-mgmt-01
Enabling diagnostics logging from a virtual machine to a storage account. Note the various levels of logging you can select.
log-mgmt-02
Logging to a storage account from a web app.

Your workloads will start saving their logfiles to your storage account when you’ve saved the settings.

Getting the logs from Azure to your SIEM

That was the easy part. Now getting the logs from Azure storage to your SIEM requires some wizardry. Thank god for the Azure Log Integrator then, to the rescue!

Tom Shinder did a great job writing a guide getting started over at https://azure.microsoft.com/en-us/documentation/articles/security-azure-log-integration-get-started/. If you don’t like that one there another one: https://blogs.msdn.microsoft.com/azuresecurity/2016/07/21/microsoft-azure-log-integration-preview/.

Once you’ve configured your integration VM you’ll need to configure your SIEM. There’s a guide available for various systems available at https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/.

 

Running WordPress in Azure Webapp with Mysql

In August Microsoft launced the preview of Mysql in-app for Azure webapps. This means that you can enable Mysql in your webapp and you’ll get immediate access to a Mysql database within your application. Running WordPress, Joomla or any other PHP/Mysql-based CMS have never been easier. Please note that this is at the moment not for production workloads due to the single-instance database. Read the article for more information at https://azure.microsoft.com/sv-se/blog/mysql-in-app-preview-app-service/.

So how do you get it up and running?

Create a new webapp.

webapp01

Name your webapp and if you don’t have one, create an App Service Plan.

webapp02

Once deployment is finished we need to edit some settings.

Switch to PHP 5.7, and turn off ARR. Click Save.

webapp05

The magic of turning on MySql is up next. Click “on” and if you’re just testing, don’t touch the logging settings. Click “Save”.

webabb06

Now you’ll need to head over to WordPress.org and download the package. Save it on your computer and unzip the files. You’ll also need an FTP client. Assuming you’re running Windows you can grab Filezilla for free.

Edit your deployment credentials if you don’t know then.

webapp04

Check the portal for your FTP hostname and enter the corresponding values in your FTP client.

webapp07

When the upload is done you can use the brand new editor to change wp-config-sample.php.

webapp09

 

You need to delete some code and paste in the following code:

$connectstr_dbhost = '';
 $connectstr_dbname = '';
 $connectstr_dbusername = '';
 $connectstr_dbpassword = '';

foreach ($_SERVER as $key => $value) {
 if (strpos($key, "MYSQLCONNSTR_localdb") !== 0) {
 continue;
 }$connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
 $connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
 $connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
 $connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);
 }

// ** MySQL settings - You can get this info from your web host ** //
 /** The name of the database for WordPress */
 define('DB_NAME', $connectstr_dbname);

/** MySQL database username */
 define('DB_USER', $connectstr_dbusername);

/** MySQL database password */
 define('DB_PASSWORD', $connectstr_dbpassword);

/** MySQL hostname : this contains the port number in this format host:port . Port is not 3306 when using this feature*/
 define('DB_HOST', $connectstr_dbhost);
Remove:
webapp10
Paste the code and save
webapp11
Rename the file wp-config-sample.php to wp-config.php. This can be done in your FTP client.
webapp12
Once done you can click your URL in the portal.
webapp13
If you’ve done everything right so far you’ll see the WordPress installation guide.
Select your language.
webapp14
Enter a username / password.
webapp15
Once it’s done you can visit your site and you’re all done. Now you can apply a custom theme and fill your site with content.
webapp16
Does it work? Well, this site runs in the exact same manner as the guide. So far, so good 🙂