Capture API calls from Azure API Management to your own security data lake using Azure Event Hubs.
In order to run Resurface for Azure APIM, some previous configuration is needed. Specifically, four resources need to be created and deployed: an Event Hub, a Storage Account, a Logger, and a Policy for your APIM instance.
Click the Deploy to Azure button below to deploy all necessary resources using an ARM template:
This uses a custom template to create and deploy an Event Hubs instance, a Storage Account, and adds a Logger and Policy to your existing APIM instance
Warning
This will overwrite any global policies you have in place in your APIM instance. Make sure you back up existing policies!
Once the automatic deployment finishes, go to the Outputs section.
Copy the listed values and update the required environment variables accordingly.
If you would like to configure everything yourself using the Azure console instead, just follow Resurface's Capturing from APIM get-started guide, where the entire process is documented in a step-by-step manner.
- Set following the environment variables in your
.env
file:
Variable | Set to |
---|---|
AZURE_EH_CONNECTION_STRING |
Connection string for a specific Azure Event Hubs namespace |
EVENT_HUB_NAME |
Name of your Event Hub instance |
AZURE_STORAGE_CONNECTION_STRING |
Connection string for a specific Azure Storage Account |
STORAGE_CONTAINER_NAME |
Name of your storage container |
USAGE_LOGGERS_URL |
DB capture endpoint for your Resurface instance |
USAGE_LOGGERS_RULES |
(Optional) Set of rules. Only necessary if you want to exclude certain API calls from being logged. |
EVENT_HUB_CONSUMER_GROUP |
(Optional) Name of a consumer group from your Event Hub. Only necessary if you have created a specific consumer group for your Event Hub instance |
PARTITION_NUMBER |
(Deprecated) Partition number configured in policy.xml . Should be "0" by default. |
- (Optional) Build the container image
docker build -t azure-eh-consumer:1.0.1 .
- Run the container
docker run -d --name azure-eh --env-file .env resurfaceio/azure-eh-consumer:1.0.1
Or, if you built the image yourself in the previous step:
docker run -d --name azure-eh --env-file .env azure-eh-consumer:1.0.1
- Use your API as you always do.
- Go to the web UI for your Graylog API Security instance and verify that API Calls are being captured.
Using Helm you can deploy this listener application to your running cluster
helm upgrade -i resurface resurfaceio/resurface --namespace resurface \
--set consumer.azure.enabled=true \
--set consumer.azure.ehconnstring=YOUR_AZURE_EH_CONNECTION_STRING \
--set consumer.azure.ehname=YOUR_AZURE_EVENT_HUBS_INSTANCE_NAME \
--set consumer.azure.storageconnstring=YOUR_AZURE_STORAGE_CONNECTION_STRING \
--set consumer.azure.storagecontainer=YOUR_AZURE_STORAGE_CONTAINER_NAME
Loggers always have an active set of rules that control what data is logged
and how sensitive data is masked. All of the examples above apply a predefined set of rules (include debug
),
but logging rules are easily customized to meet the needs of any application.
© 2016-2024 Graylog, Inc.