-
-
-
Configuring Microsoft Azure Data Explorer (ADX) & Azure Event Hubs
-
-
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Configuring Microsoft Azure Data Explorer (ADX) & Azure Event Hubs
Introduction
What is Azure Data Explorer (ADX)
Microsoft Azure Data Explorer (ADX) is a data analytics platform designed for querying and analyzing large volumes of data in near real time.
What is Azure Event Hubs
Microsoft Azure Event Hubs is a real-time data ingestion service based on Apache Kafka. It can process millions of events per second which subsequently can be made available to hundreds of individual consumers (applications that read and process incoming data).
Why Combine Azure Data Explorer With Azure Event Hubs for uberAgent Data
In enterprise scenarios, uberAgent’s endpoint agents may send events concurrently from hundreds of thousands of devices. This requires a backend service that is capable of ingesting millions of events per second. In the Azure cosmos, Event Hubs is exactly such a service. Once ingested, it buffers uberAgent’s events until they’ve been routed to Azure Data Explorer (ADX), where they can be efficiently queried from various additional services via the Kusto Query Language (KQL).
Advantages of Using Azure Data Explorer & Azure Event Hubs for uberAgent Data
By routing uberAgent’s data through Azure Event Hubs to Azure Data Explorer, enterprises can make DEX and endpoint security metrics available to individual teams within the organization in a publish/subscribe kind of model. Once access has been granted to an ADX database, a team can start working with the metrics it stores.
Azure Event Hubs makes it possible to distribute uberAgent’s metrics in a highly scalable manner, supporting hundreds of thousands of endpoints (data producers) and thousands of consumers. uberAgent natively supports Azure Data Explorer via Azure Event Hubs.
Prerequisites
In order for uberAgent to be able to send data to an Azure Data Explorer backend, the following Azure services are required:
- Microsoft Azure Event Hubs
- Microsoft Azure Data Explorer Cluster
- Microsoft Azure Enterprise Application
Please see the system requirements for details.
Setup
Navigate to the Azure portal and sign in with an organizational account associated with your Microsoft Azure subscription.
Creating an Azure Enterprise Application
In order to authenticate to Event Hubs, an Enterprise Application needs to be created. Follow the steps in the Microsoft documentation. Make sure to obtain a client ID and a client secret.
Creating the Azure Event Hubs Namespace & Instance
- Create a new Event Hubs namespace Azure service by specifying a resource group, a unique namespace name, a location, and a pricing tier.
-
Assign the following permissions to the namespace for the enterprise application you created above:
- Azure Event Hubs Data Sender
- Schema Registry Contributor (Preview)
- Schema Registry Reader (Preview)
- Open up the newly created Event Hubs namespace and create an Event Hubs instance by specifying a unique name, the partition count (
1is sufficient), and the retention time.
Creating the Azure Data Explorer Cluster
- Create a new Azure Data Explorer Cluster by specifying a resource group, a unique cluster name, and the workload.
- Create a new database in the newly created Azure Data Explorer Cluster by specifying a database name, the retention period, and the cache period.
- Open the newly created database and create a new data connection, using the Event Hubs instance created above as the source. Specify a data connection name, and the name of the Event Hubs namespace. Make sure to allow routing the data to other databases and leave the table name empty. Set the data format to
CSV.
Creating the Azure Data Explorer Tables
The uberAgent endpoint agent does not create the database tables in Azure Data Explorer. The script uberAgentSchema.AzureDataExplorer.kql to create the tables is part of the uberAgent download package.
Configuring Azure Event Hubs as Data Receiver in uberAgent
Receiver Stanza
The following configuration settings are required in a Receiver stanza:
-
Type:
AzureEventHubs -
Protocol:
HTTP - AzureEventHubsConfigurationId: The ID of the AzureEventHubsConfiguration stanza (see below).
AzureEventHubsConfiguration Stanza
The following configuration settings are required in an AzureEventHubsConfiguration stanza:
-
Id: Unique GUID this stanza is referenced by from a
Receiverstanza. -
AuthenticationURL: The authentication URL (optional). The default value is:
https://login.microsoftonline.com/###UA_TENANTID###/oauth2/token -
SendDataURL: The URL to send the data to (optional). The default value is:
https://###UA_EVENTHUBSNAMESPACE###.servicebus.windows.net/###UA_HUBNAME###/messages -
AzureEventHubsNameSpace: The name of the Azure Event Hubs namespace. Placeholder variable:
###UA_EVENTHUBSNAMESPACE### -
AzureHubName: The name of the Azure Event Hubs instance. Placeholder variable:
###UA_HUBNAME### -
AzureTenantID: The Entra tenant ID. Placeholder variable:
###UA_TENANTID### - AzureClientID: The Entra enterprise application client ID.
- AzureClientSecret: A client secret associated with the client ID.
The fields ###UA_TENANTID###, ###UA_EVENTHUBSNAMESPACE###, and ###UA_HUBNAME### are placeholders and are replaced by the agent with their corresponding value.
Example
[Receiver]
Name = vast limits Azure Event Hubs
Type = AzureEventHubs
Protocol = HTTP
AzureEventHubsConfigurationId = 82204bf8-fc99-4d59-8903-7206234dcbc8
[AzureEventHubsConfiguration]
Id = 82204bf8-fc99-4d59-8903-7206234dcbc8
AzureEventHubsNameSpace = vastlimits
AzureHubName = uberagent
AzureTenantID = YOUR_TENANT_TENANT_ID
AzureClientID = YOUR_ENTRA_ENTERPRISE_APPLICATION_CLIENT_ID
AzureClientSecret = YOUR_AZURE_CLIENT_SECRET
<!--NeedCopy-->
Implementation Details
Authentication Method
Authentication from the uberAgent endpoint agent to the Event Hubs instance happens by way of Azure AD JSON web tokens (JWT).
Routing Events to the Proper ADX Table
uberAgent sends many different types of events, distinguished by a so-called sourcetype. Each sourcetype has its own field definition and, therefore, needs to be stored in its own ADX table.
While uberAgent sends all types of events to a single Event Hubs ingestion service, from there the incoming events need to routed to the proper ADX tables depending on each event’s sourcetype. This routing is automatically accomplished by adding an HTTP header with the name of the ADX table, e.g.:
"Table" : "Process_ProcessStartup"
<!--NeedCopy-->
Timer scripts
Timers are mostly used to determine metrics (e.g. SessionDetail). They can also be used to start custom scripts (see here). The output of the scripts is sent to the backend where the timer name is part of the sourcetype. In most backends the sourcetype does not need to be created in advance, or it is created by uberAgent. In Azure Data Explorer the table needs to be created manually by the customer otherwise ingestion errors occur.
The table name has the following format: Script_.
The following gives an example of the KQL script needed to run to ingest the result data of a custom script into the corresponding table in Azure Data Explorer.
[Timer]
Name = DetermineDepartment
Interval = 30000
Script = C:\Scripts\DetermineDepartment.cmd
ScriptContext = UserSessionAsUser
<!--NeedCopy-->
The output of the script DetermineDepartment.cmd is:
Department=Sales UserName=John
The KQL script to create the table and the ingestion mapping in Azure Data Explorer for this timer is:
.execute database script <|
.create table Script_DetermineDepartment (Timestamp: long, Host: string, Department: string, UserName: string);
.create table Script_DetermineDepartment ingestion csv mapping 'Script_DetermineDepartment_mapping' '[{"column":"Timestamp", "Properties":{"Ordinal":"0"}}, {"column":"Host", "Properties":{"Ordinal":"1"}}, {"column":"Department", "Properties":{"Ordinal":"2"}}, {"column":"UserName", "Properties":{"Ordinal":"3"}}]';
<!--NeedCopy-->
The fields Timestamp and Host are mandatory and are automatically added by uberAgent.
The field names in the output do not necessarily have to match the field names in the table.
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.