topic Re: how to get Logs from Azure servers to On-prem splunk? in Getting Data In

how to get Logs from Azure servers to On-prem splunk?

kiran331 — Tue, 12 Dec 2017 16:46:18 GMT

Hello,

What is the best way to get windows logs and linux logs from aroung 200+ servers in Azure to on-prem splunk environment, I tried the blob storage option but its not in correct format. is it better to Install universal forwarders on cloud servers and forward them to on-prem indexers. any one had similar issue?

Re: how to get Logs from Azure servers to On-prem splunk?

adonio — Tue, 12 Dec 2017 17:48:28 GMT

hello @kiran331,

are you using the app for mscs https://splunkbase.splunk.com/app/3110/#/overview
did you configure the Azure modular input?

Re: how to get Logs from Azure servers to On-prem splunk?

kiran331 — Tue, 12 Dec 2017 17:50:48 GMT

Yes, I'm getting the Azure audit logs and resource logs, I'm looking for security, system and application logs from the windows servers in azure

Re: how to get Logs from Azure servers to On-prem splunk?

adonio — Tue, 12 Dec 2017 17:57:37 GMT

looks like you are on the right track,
read here:
https://www.splunk.com/blog/2016/03/15/splunking-microsoft-azure-data.html
did you enable the correct audit rules on your azure account?
check out these links: (also directly from article above)
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs
https://msdn.microsoft.com/en-us/library/azure/dn931934.aspx

hope it helps

Re: how to get Logs from Azure servers to On-prem splunk?

mattymo — Wed, 13 Dec 2017 14:14:01 GMT

Hey Kiran!

I will be working with the MS Azure team shortly after the new year to ensure that Splunking Azure gets the first class treatment like we have in AWS! Once I have met with them I will be sure to check back with you. Until then, let us know what you find!

Re: how to get Logs from Azure servers to On-prem splunk?

baldwintm — Thu, 14 Dec 2017 00:03:47 GMT

I’ve found that the best way to get logs from servers in azure is to install the universal forwarder on the instances.

Re: how to get Logs from Azure servers to On-prem splunk?

kiran331 — Thu, 14 Dec 2017 15:17:45 GMT

are you able to manage forwarders with on-prem deployment server?

Re: how to get Logs from Azure servers to On-prem splunk?

baldwintm — Thu, 14 Dec 2017 15:21:36 GMT

Yes. Assuming you have network connectivity and the hosts in Azure can reach port 8089 on the deployment server.

Re: how to get Logs from Azure servers to On-prem splunk?

kiran331 — Thu, 14 Dec 2017 15:31:44 GMT

Is it a best practice to talk to 8089 over internet with public Ip?

Re: how to get Logs from Azure servers to On-prem splunk?

baldwintm — Thu, 14 Dec 2017 15:43:33 GMT

That's a good question.
It's https, so it would be encrypted, but then getting the data back to the indexers would be a little interesting.

I'm not sure I have a good answer for you

Re: how to get Logs from Azure servers to On-prem splunk?

mattymo — Thu, 14 Dec 2017 19:02:00 GMT

Yep you could do this, it would just be a good idea to flip off of Splunk default certs to 3rd party or self-signed certs for both the management port (8089) and for the forwarding layer (ie. 9997)

Re: how to get Logs from Azure servers to On-prem splunk?

varadredgntn — Mon, 18 Dec 2017 11:03:50 GMT

I would recommend installing UF on the servers and forward the logs to your Splunk instance, that way you also have better control on how you want to parse the data. Using the blob storage may not give that flexibility.

Re: how to get Logs from Azure servers to On-prem splunk?

ppadhi01 — Sat, 09 Mar 2024 00:03:17 GMT

Looking for the solution. Would you mind if you resolve this issue, getting Azure applciaion log to On-prem Splunk