Skip to content

Capture API calls from Azure APIM with Azure Event Hubs

License

Notifications You must be signed in to change notification settings

resurfaceio/azure-eh

Repository files navigation

azure-eh

Capture API calls from Azure API Management to your own security data lake using Azure Event Hubs.

License Contributing

Contents

Deployment

In order to run Resurface for Azure APIM, some previous configuration is needed. Specifically, four resources need to be created and deployed: an Event Hub, a Storage Account, a Logger, and a Policy for your APIM instance.

Automatic deployment

Click the Deploy to Azure button below to deploy all necessary resources using an ARM template:

Deploy to Azure

This uses a custom template to create and deploy an Event Hubs instance, a Storage Account, and adds a Logger and Policy to your existing APIM instance

Warning

This will overwrite any global policies you have in place in your APIM instance. Make sure you back up existing policies!

Once the automatic deployment finishes, go to the Outputs section.

Click to expand

image

Copy the listed values and update the required environment variables accordingly.

Click to expand

image

Manual setup

If you would like to configure everything yourself using the Azure console instead, just follow Resurface's Capturing from APIM get-started guide, where the entire process is documented in a step-by-step manner.

Configuration

  • Set following the environment variables in your .env file:
Variable Set to
AZURE_EH_CONNECTION_STRING Connection string for a specific Azure Event Hubs namespace
EVENT_HUB_NAME Name of your Event Hub instance
AZURE_STORAGE_CONNECTION_STRING Connection string for a specific Azure Storage Account
STORAGE_CONTAINER_NAME Name of your storage container
USAGE_LOGGERS_URL DB capture endpoint for your Resurface instance
USAGE_LOGGERS_RULES (Optional) Set of rules.
Only necessary if you want to exclude certain API calls from being logged.
EVENT_HUB_CONSUMER_GROUP (Optional) Name of a consumer group from your Event Hub.
Only necessary if you have created a specific consumer group for your Event Hub instance
PARTITION_NUMBER (Deprecated) Partition number configured in policy.xml. Should be "0" by default.
  • (Optional) Build the container image
docker build -t azure-eh-consumer:1.0.1 .
  • Run the container
docker run -d --name azure-eh --env-file .env resurfaceio/azure-eh-consumer:1.0.1

Or, if you built the image yourself in the previous step:

docker run -d --name azure-eh --env-file .env azure-eh-consumer:1.0.1
  • Use your API as you always do.
  • Go to the web UI for your Graylog API Security instance and verify that API Calls are being captured.

Running on AKS

Using Helm you can deploy this listener application to your running cluster

helm upgrade -i resurface resurfaceio/resurface --namespace resurface \
--set consumer.azure.enabled=true \
--set consumer.azure.ehconnstring=YOUR_AZURE_EH_CONNECTION_STRING \
--set consumer.azure.ehname=YOUR_AZURE_EVENT_HUBS_INSTANCE_NAME \
--set consumer.azure.storageconnstring=YOUR_AZURE_STORAGE_CONNECTION_STRING \
--set consumer.azure.storagecontainer=YOUR_AZURE_STORAGE_CONTAINER_NAME

Protecting User Privacy

Loggers always have an active set of rules that control what data is logged and how sensitive data is masked. All of the examples above apply a predefined set of rules (include debug), but logging rules are easily customized to meet the needs of any application.

Logging rules documentation

© 2016-2024 Graylog, Inc.