All Apps and Add-ons

Splunk add-on for Microsoft Cloud Service v2.1.0 - Not seeing mscs:azure:audit sourcetype

joelim
Explorer

Hi all,

I am currently having issues determining weather or not I am ingesting mscs:azure:audit sourcetype.

We were ingesting mscs:azure:audit prior to upgrading from v2.0.3 to v2.1.0 and now we are not. However, we are ingesting ms:o365:management.

We are running on Splunk Enterprise v6.5.3.1

I know the version that we are running is old but we have several dependencies that we need to test out before moving to version 3.0.0.

**Edit: The following parameters are already configured: Modular inputs, O365 account, Azure app account, Azure storage account , proxy and certificate.

Any help would be appreciated as I am currently clutching at straws.

0 Karma
1 Solution

joelim
Explorer
0 Karma

joelim
Explorer
0 Karma

deepashri_123
Motivator

Hey@joelim,

I think you need to configure Modular input for audit logs.
You can refer this logs:
https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureinputs2

Let me know if this helps!!

0 Karma

joelim
Explorer

@deepashri_123
Yes, I have configured the modular inputs via the app's GUI. I have also tried removing and re-creating each input but still no joy.

Other parameters configured: Inputs, Azure account and Azure storage account.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!