Skip to main content
Configure Azure Sentinel export to send audit logs to Microsoft Sentinel using Data Collection Rules (DCR) for security monitoring and analytics.

Prerequisites

Before configuring Golf Gateway, set up these Azure resources:
  1. Data Collection Endpoint (DCE) - See Create a DCE in Microsoft documentation.
  2. Data Collection Rule (DCR) with custom table GolfGateway_CL - See Create a DCR in Microsoft documentation.
  3. Service Principal with Monitoring Metrics Publisher role on the DCR - See Create service principal in Microsoft documentation.
You’ll need:
  • DCE Logs Ingestion endpoint URL
  • DCR Immutable ID
  • DCR Stream Name (default: Custom-GolfGateway_CL)
  • Service Principal: Tenant ID, Client ID, Client Secret

Configure Sentinel export

exporters:
  sentinel:
    - name: azure-sentinel
      enabled: true
      dcr_immutable_id: ${SENTINEL_DCR_ID}
      dcr_endpoint: https://my-dce.eastus.ingest.monitor.azure.com
      dcr_stream_name: Custom-GolfGateway_CL
      tenant_id: ${AZURE_TENANT_ID}
      client_id: ${AZURE_CLIENT_ID}
      client_secret: ${AZURE_CLIENT_SECRET}

Verify export is working

  1. Generate some gateway traffic
  2. Wait for batch timeout (default: 10 seconds)
  3. Query the GolfGateway_CL table in Log Analytics
See Query logs in Azure Monitor for query syntax.

Troubleshooting

  • 401 Unauthorized: Verify service principal credentials
  • 403 Forbidden: Check service principal has role on DCR
  • 404 Not Found: Verify DCR immutable ID is correct