I'm looking to send specific logs from my syslog-ng cluster to Azure event hub so it can utilize ADX instead of Log Analytics workspace.
Per the documentation found on syslog-ng's website (here), the config looks pretty straight forward but I can't seem to get it to work. Below is a sanitized version of my config right now.
destination d_AzureEventHub {
http(
url("https://XXXXX.servicebus.windows.net/YYYYY")
#tls( ca-dir("/etc/syslog-ng/ca.d") )
tls( ca-file("/etc/ssl/certs/ca-bundle.crt") )
method("POST")
headers(
"Authorization: SharedAccessSignature sr=XXXXX.servicebus.windows.net%YYYYY%2f&sig=ZZZZZZZZZZZZZZZZZ=RootManageSharedAccessKey",
"Content-Type: application/atom+xml;type=entry;charset=utf-8"
)
);
With this setup, I'm getting the following syslog-ng error.
syslog-ng[7253]: Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.;
Further in the log, it shows it as a 401 error.
I've tried removing the "SharedAccessSignature" portion and still the same error. Also, if I use the ca-dir I have listed, I get this error. Note that the directory has a .crt and .pem file of the DigiCert roots I downloaded.
error='Peer certificate cannot be authenticated with given CA certificates'
My confusion is around the Authorization portion. I've tried using the basic shared access policy key as well as creating a SAS token from the key. Neither seem to give me a successful connection.
I'm also not sure what format the authorization should truly be in. Any help would be appreciated.