All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Has anyone successfully configured Splunk Add-on for Microsoft Cloudservices Azure Audit?

jsantosoptum
New Member
‎10-12-2017 04:02 PM

I have tried creating inputs for both:
Azure Audit
Azure Resource

I also created the required Azure App Account that is referenced when creating the input. The Azure App Account was created with the required Client ID, Key(Client Secret), and Tenant ID

I have also created Data Inputs by selecting my specific Splunk Add-on such as Microsoft Cloudservice Azure Audit which can be found by going to Setttings > Data Inputs > Splunk Add-on for Microsoft Cloudservice Azure Audit and nothing has worked to get data into my index.

According to the Splunk docs Azure Audit is to be used when trying to pull data from Azure applications that use Azure Application Insights.

Can anyone tell me if they have this working and if so what was configured? All of my Splunk configurations were done through the GUI.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎01-26-2018 01:01 PM

This blog post details all the necessary steps to enable the Audit input -> https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html

Here is a handy search to help troubleshoot:

index=_internal source=*cloudservices* error
0 Karma
Reply

jsantosoptum
New Member
‎10-16-2017 11:58 AM

Thanks Maciep. I opened a ticket with Azure support and will be with them online today troubleshooting this issue. I will post the information provided today if it gets things working.

Thanks for the video!

0 Karma
Reply

maciep
Champion
‎10-15-2017 05:29 AM

Not sure about getting your config to work (we struggle with o365 connection/input with that add-on). But my understanding is that the plan for now at least (ms always seems to be changing it), is to send everything to Azure Monitor. Maybe that's not the case for your data?

But they do have a TA specifically for Azure Monitor now. We struggled getting that add-on to work as well, but the developer was very responsive and helped us through installing/configuring it.

Azure Monitor Add-on For Splunk

And here is their session at .conf this year:

Monitor and Manage Your Cloud Environment with Azure Monitor and Splunk

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...