All Apps and Add-ons

Can I Subscribe to the Event Hub to pull down NSG data?

paimonsoror
Builder

Hello;

Currently we are using the storage blob integration to pull down NSG details into splunk through a Storage account. However, would we be able to just simply subscribe to the EventHub to pull similar data down instead of having to deal with the data latencies and json snapshotting through a blob?

This is the tutorial I had originally used: https://www.splunk.com/blog/2017/02/20/splunking-microsoft-azure-network-watcher-data.html

0 Karma

joelby
Explorer

I've also written a Splunk add-on that lets you pull data straight from Event Hubs, with optional transformation along the way of data via JavaScript modules. I haven't listed it on Splunkbase yet, but it works well for me: https://github.com/joelw/event_hubs_for_splunk

0 Karma

jconger
Splunk Employee
Splunk Employee

Network Watcher Flow logs are only kept in a storage account. From https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview:

Flow logs are stored only within a storage account and following the logging path as shown in the following example:

https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resou...

Other types of NSG data can be pushed to an Event Hub. Then, an Azure Function can be used to push this data to Splunk via HEC. Here are some example Azure Functions to push the data to Splunk from an Event Hub -> https://github.com/sebastus?utf8=✓&tab=repositories&q=splunk&type=&language=

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...