Solved: Re: Where should I install the Splunk Add-on for M...

Koko12345678 · ‎07-16-2018

I'm going to use Splunk on-prem with Azure, by installing Universal Forwarder on the VMs, but still going to use the Add-on for getting Azure audit logs.
Where should I install the add-on?
In addition, do I have to use Heavy forwarder (between the UF and the indexer) in this case?

Thanks

CarsonZa · ‎07-16-2018

install the TA on the search head(s). its not necessary to send to a heavy forwarder but if you dont, you'll need to install on the indexers as well.

http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install

View solution in original post

Koko12345678 · ‎07-16-2018

Thank you ! so I need to install The add-on only on the search head? or also on the heavy forwarder?

CarsonZa · ‎07-16-2018

if you are sending any data to the hf from the ufs then yes install on the heavy forwarder and then you wont have to install on the indexers.

CarsonZa · ‎07-16-2018

install the TA on the search head(s). its not necessary to send to a heavy forwarder but if you dont, you'll need to install on the indexers as well.

http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install

Where should I install the Splunk Add-on for Microsoft Cloud Services?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?