All Apps and Add-ons

Splunk add-on for Microsoft Cloud Service v2.1.0 - Not seeing mscs:azure:audit sourcetype

joelim
Explorer

Hi all,

I am currently having issues determining weather or not I am ingesting mscs:azure:audit sourcetype.

We were ingesting mscs:azure:audit prior to upgrading from v2.0.3 to v2.1.0 and now we are not. However, we are ingesting ms:o365:management.

We are running on Splunk Enterprise v6.5.3.1

I know the version that we are running is old but we have several dependencies that we need to test out before moving to version 3.0.0.

**Edit: The following parameters are already configured: Modular inputs, O365 account, Azure app account, Azure storage account , proxy and certificate.

Any help would be appreciated as I am currently clutching at straws.

0 Karma
1 Solution

joelim
Explorer
0 Karma

joelim
Explorer

Spoke to Splunk support; looks like there is a bug.

Workaround is documented here:

https://answers.splunk.com/answers/694725/splunk-add-on-for-microsoft-cloud-service-showing.html?chi...

0 Karma

deepashri_123
Motivator

Hey@joelim,

I think you need to configure Modular input for audit logs.
You can refer this logs:
https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureinputs2

Let me know if this helps!!

0 Karma

joelim
Explorer

@deepashri_123
Yes, I have configured the modular inputs via the app's GUI. I have also tried removing and re-creating each input but still no joy.

Other parameters configured: Inputs, Azure account and Azure storage account.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...