topic Re: How to get logs from Azure and O365 into Splunk? in All Apps and Add-ons

How to get logs from Azure and O365 into Splunk?

marycordova — Wed, 01 Aug 2018 19:41:46 GMT

Problem: various apps and TAs exist but none of them are reliable and/or supported.

Re: How to get logs from Azure and O365 into Splunk?

marycordova — Tue, 29 Sep 2020 20:46:41 GMT

see additional screenshots in below comments as I can't post them all in this answer

Splunk:
setup a Splunk RAW http(s) endpoint for Azure and/or O365 (must be raw not regular hec or timestamping is all messed up)

inputs.conf:
[http://inputs_azure]
disabled = 0
index = azure
sourcetype = httpevent:azure
token = token

[http://inputs_o365]
disabled = 0
index = azure
sourcetype = httpevent:o365
token = token

props.conf:
[httpevent:azure]
KV_MODE = json
TIME_PREFIX = ^\D+
TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ
TZ = UTC

[httpevent:o365]
KV_MODE = json
TIME_PREFIX = ^\D+
TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ
TZ = UTC

Microsoft: You need some “solutions”
- O365 "solution": Office 365 Analytics (Preview)
- https://azuremarketplace.microsoft.com/en-us/marketplace/apps/Microsoft.Office365OMS?tab=Overview
- Azure audit "solution": Activity Log Analytics
- https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-activity

in the back end a “log analytics” repo for the logs ingested by each solution is created
create a “logic app” for each repo that will query log analytics directly and post http(s) to the Splunk RAW endpoint
set query backward in time (I have a 5 hour delay but I think that could be shortened to 2 hours) because MS doesn’t deliver logs to the solution/log analytics in real time
Only outstanding issue is that super nested json isn’t parsing…

Re: How to get logs from Azure and O365 into Splunk?

marycordova — Wed, 01 Aug 2018 21:54:17 GMT

Re: How to get logs from Azure and O365 into Splunk?

marycordova — Wed, 01 Aug 2018 22:08:14 GMT

Re: How to get logs from Azure and O365 into Splunk?

teddyidc1101 — Thu, 06 Sep 2018 09:08:14 GMT

Do you have solution for Skype?

Re: How to get logs from Azure and O365 into Splunk?

pmeyerson — Sat, 29 Sep 2018 23:53:08 GMT

Do you have any idea on which (if any) subscriptions this feature is included in? I'm having a tough time understanding how all the different o365+azure -> splunk options are priced from the msft side.
Wasn't sure if you uncovered anything while looking into this option.

Re: How to get logs from Azure and O365 into Splunk?

marycordova — Tue, 11 Dec 2018 23:32:08 GMT

For Skype, even though the logs are visible in the same portal.office.com place as all the other O365 logs they have not yet added them to the Azure integration. So right now you'd have to write a powershell script or something to grab them, probably from the API...which I hate cuz I've never met an API based app that didn't break, but give me something like syslog, or hec...never had one that did break!

Re: How to get logs from Azure and O365 into Splunk?

marycordova — Tue, 11 Dec 2018 23:32:54 GMT

I think you need like an "E3" pricing tier but I'm really not sure...

Re: How to get logs from Azure and O365 into Splunk?

marycordova — Wed, 10 Jul 2019 23:37:13 GMT

damn...what happened to those screenshots? there is literally no way i will ever be able to re-create them since this is $job-1

Re: How to get logs from Azure and O365 into Splunk?

marycordova — Fri, 06 Sep 2019 18:56:02 GMT