I am currently having issues determining weather or not I am ingesting mscs:azure:audit sourcetype.
We were ingesting mscs:azure:audit prior to upgrading from v2.0.3 to v2.1.0 and now we are not. However, we are ingesting ms:o365:management.
We are running on Splunk Enterprise v184.108.40.206
I know the version that we are running is old but we have several dependencies that we need to test out before moving to version 3.0.0.
**Edit: The following parameters are already configured: Modular inputs, O365 account, Azure app account, Azure storage account , proxy and certificate.
Any help would be appreciated as I am currently clutching at straws.
Spoke to Splunk support; looks like there is a bug.
Workaround is documented here:
View solution in original post
I think you need to configure Modular input for audit logs.
You can refer this logs:
Let me know if this helps!!
Yes, I have configured the modular inputs via the app's GUI. I have also tried removing and re-creating each input but still no joy.
Other parameters configured: Inputs, Azure account and Azure storage account.