All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Ingesting Azure Logs (IaaS, PaaS, OS, app, etc.)

ericl42
Path Finder
‎07-13-2020 10:53 AM

I know there have been a lot of conversations around this topic and technology is constantly changing to make things easier, so I was curious if anyone has had recent experience ingesting all Azure logs to an on-premise Splunk instance.

We're looking at both keeping logs local to Azure and utilize Sentinel but we'd prefer to keep them in Splunk so we have one location for logs no matter where they are (i.e. Azure, AWS, on-premise, etc.) 

Potential solutions:

  1. Install a forwarder on every VM and back haul the traffic across the VPN to on-premise indexers.
    • I don't want to pay the VPN costs for this or have that dependency. it's also just not very "cloud-ish" solution.
  2. Stand up indexers in Azure and replicate the clusters in Azure & on-premise.
    • These VMs cost a lot of money.
  3. Send all logs to Event Hub and use Splunk to pull from there.
    • This seems like a decent solution but I'm not sure of the costs or parsing issues this may entail. 

I would love to hear how others compared Sentinel to Splunk and justified sticking with Splunk in Azure when you had an on-premise Splunk architecture.

Note that we want the infrastructure/platform logs but have a hard requirement to get the OS and app logs (i.e. Windows security, RHEL /var/log/secure, Apache, Squid proxy, etc.)

Thanks!

Tags (2)
0 Karma
Reply

Priyankakumari1
Explorer
‎08-06-2020 07:43 AM

Have you got any answer for this??

0 Karma
Reply

ericl42
Path Finder
‎08-06-2020 07:56 AM

I ended up going down the Event Hub route. You can use the Azure Diagnostic agent to push all Linux/Windows logs to EH and then use Microsoft Azure Add-on for Splunk to then ingest those logs into Splunk.

This allows the traffic to not go over the VPN connection and just pay for back egress traffic outbound to Azure. Since it's SSL, it should do some encryption and save you a few costs.

You can then modify the transforms and props files to help divide the logs up to the appropriate indexes and what not.

Reply

pkolhatk
Explorer
‎05-27-2024 05:50 PM

HI Cna you share any reference document

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...