Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Indexing and parsing Azure AD logs

vrajshekar
Path Finder
‎05-31-2021 06:32 AM

I am new to splunk, we are currently trying to configure Splunk to parse AzureAD logs being received from a Syslog server.

I have installed multiple apps/add-ons, but none of them are helping me parse the logs.

I have configured inputs.conf, and when I set the sourcetype from Add-on, it doesn't work.

How can I achieve this. please help

 

 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-01-2021 09:42 PM

Hi @vrajshekar 

You are not using the Add-on to pull the logs from MS API as described in docs, If you are getting them from syslog server then are you storing them on files (or) directly trying to forward to Splunk HF/indexer?

if you are storing syslog on files and forwarding them via UF then you have to set-up  inputs.conf and use the sourcetype=o365:management:activity

You need to find props.conf inside add-on having sourcetype - [o365:management:activity] and copy the props file to the Heavy Forwarder/Indexer depends on your set-up either to location /opt/splunk/system/local or /opt/splunk/etc/apps/<yourapp>/local/, then restart the HF/indexer. 

This is a general stuff most of the Splunkers follow, you have to improvise depends on your set-up. The above process works for parsing only.

--------------------

An upvote would be appreciated if it helps!

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎05-31-2021 06:39 PM

Hi @vrajshekar 

As per docs 'Splunk Add-on for Microsoft Office 365' is the right add-on to pull the logs from MS API. Since you are using syslog as intermediate to send the logs to Splunk, you shall check what's the change in log structure if there is a change (usually syslog messages having additional headers added) you shall write your own parsing during index time.

On search head you shall write your own field extractions,   Splunk Documentation has list of sourcetypes - 'o365:management:activity' is the one where AD Audit logs being logged if you install add-on correctly (since you have syslog server not sure will this really work in your case).

Splunk docs always the first source of info Installation and configuration overview for the Splunk Add-on for Microsoft Office 365 - Splunk Docu...

----------------------------

An upvote would be appreciated if it helps!

Tags (2)
0 Karma
Reply

vrajshekar
Path Finder
‎06-01-2021 09:17 PM

HI @venkatasri

 

No additional fields being add from Syslog.

Can I configure the inputs.conf to use sourcetype from 'Splunk Add-on for Microsoft Office 365',  is this possible?

If not, please let me know if you have any suggestions.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...