All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what is the best way to use Splunk with Azure? Installing Universal fowarder on the VMs or use Splunk Add-on for Microsoft Cloud Services?

Koko12345678
Explorer
‎06-21-2018 05:34 AM

I would like to know what are the benefits of using Splunk Add-on for Microsoft Cloud Services over installing the Universal Forwarder directly on the VMs ? do I'll get more/ better information by using Splunk Add-on for Microsoft Cloud Services? if yes, what is the differences?

In addition, if I'll choose to use Splunk Add-on for Microsoft Cloud Services, does my existing Splunk interface will be changed? does the query method will stay the same?

Thanks 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎06-26-2018 03:15 PM

A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.

If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).

The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.

Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Koko12345678
Explorer
‎06-27-2018 12:56 AM

Thank you for your response, appreciate your help!

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎06-26-2018 03:15 PM

A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.

If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).

The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.

Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top