Can I Subscribe to the Event Hub to pull down NSG ...

paimonsoror · ‎01-29-2018

Hello;

Currently we are using the storage blob integration to pull down NSG details into splunk through a Storage account. However, would we be able to just simply subscribe to the EventHub to pull similar data down instead of having to deal with the data latencies and json snapshotting through a blob?

This is the tutorial I had originally used: https://www.splunk.com/blog/2017/02/20/splunking-microsoft-azure-network-watcher-data.html

joelby · ‎04-16-2018

I've also written a Splunk add-on that lets you pull data straight from Event Hubs, with optional transformation along the way of data via JavaScript modules. I haven't listed it on Splunkbase yet, but it works well for me: https://github.com/joelw/event_hubs_for_splunk

jconger · ‎01-29-2018

Network Watcher Flow logs are only kept in a storage account. From https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview:

Flow logs are stored only within a storage account and following the logging path as shown in the following example:

https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resou...

Other types of NSG data can be pushed to an Event Hub. Then, an Azure Function can be used to push this data to Splunk via HEC. Here are some example Azure Functions to push the data to Splunk from an Event Hub -> https://github.com/sebastus?utf8=✓&tab=repositories&q=splunk&type=&language=

Can I Subscribe to the Event Hub to pull down NSG data?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life