After installing Azure Log Connector and completing the App Registration in Microsoft Entra ID, the connector is configured using the built-in command line configuration utility. This article covers the configuration process and how to update the configuration if values need to change after initial setup.
Running the configuration utility:
- Open Command Prompt or PowerShell as Administrator
- Navigate to the installation directory:
cd “C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector”
- Run the configuration utility:
Lta.Entra.Agent.exe –configure
- Enter the following values at each prompt:
Tenant ID: Enter the Directory (tenant) ID from your App Registration:
Tenant ID: <your-tenant-id>
Client ID: Enter the Application (client) ID from your App Registration:
Client ID (Application ID): <your-client-id>
Client Secret: Enter the client secret value generated in your App Registration:
Client Secret: <your-client-secret>
AgentId: A unique identifier for this collector instance. Defaults to the local machine name if left blank:
AgentId: <machine-name or custom identifier>
Syslog Host: The hostname or IP address of your LT Auditor MP server:
Syslog Host: <LT Auditor MP hostname or IP>
Syslog Port: The port your LT Auditor MP syslog listener is configured on. Default is 5050:
Syslog Port: 5050
Protocol: The syslog transport protocol. Default is TCP:
Protocol (UDP, TCP, or TLS): TCP
- After all prompts are completed, the configuration utility saves the settings to the application configuration files in the installation directory
Restarting the service after configuration:
If the service was already running when configuration changes were made, restart it to apply the new settings:
net stop LTA_AzureLogCollector
net start LTA_AzureLogCollector
Confirm the service returns to a Running state after the restart:
sc query LTA_AzureLogCollector
Updating configuration after initial setup:
If any configuration values need to be changed after the initial setup โ for example, when a client secret is renewed, the LT Auditor MP server address changes, or the syslog port is updated โ rerun the configuration utility:
Lta.Entra.Agent.exe –configure
Work through all prompts again, entering the updated values where needed and confirming unchanged values. Restart the service after completing the updated configuration.
Verifying the configuration:
After completing configuration and starting the service, verify it is connecting successfully to both Microsoft APIs and the LT Auditor MP server:
- Review the application logs for successful startup and API connection messages:
C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector\logs
- Look for:
- Successful authentication to Microsoft Graph
- Successful authentication to the Office 365 Management API
- Syslog connection established to LT Auditor MP
- First polling cycle completed
- In the LT Auditor MP Web UI, navigate to View, select the Azure Log Connector environment, and confirm events are appearing after the first polling cycle completes
Common configuration issues:
| Issue | Likely Cause | Resolution |
| Authentication failure on startup | Incorrect Tenant ID, Client ID, or Client Secret | Rerun the configuration utility and verify all three values |
| Client secret error | Secret has expired | Generate a new secret in the Azure Portal and rerun configuration |
| API permission error | Admin Consent not granted | Navigate to the App Registration and grant Admin Consent for all permissions |
| Syslog connection failure | Incorrect host, port, or firewall blocking | Confirm LT Auditor MP server address and port, and verify firewall rules |
| No events appearing in LT Auditor MP | Polling not yet completed | Wait for at least one full polling interval (default: 5 minutes) |
Using TLS for secure syslog transmission:
If your LT Auditor MP transformation rule is configured for TLS, select TLS when prompted for the protocol during configuration. Ensure that:
- The LT Auditor MP server TLS certificate is valid and trusted
- Any required CA certificates are available on the Azure Log Connector server
- The configured port matches the TLS listener port in LT Auditor MP
Blue Lance recommends using TLS for syslog transmission in production environments to encrypt audit data in transit between Azure Log Connector and the LT Auditor MP server.
[Your administrator should document the configured Syslog Host, Port, Protocol, and AgentId values for future reference and include them in your change management records.]