Hi @rayar ,

Even I am trying to collect the logs from Log Analytics to Splunk. If you have already done it. Please guide me how to proceed further.

Hi @rayar 

The best way to collect data from azure is: the splunk add-on for microsoft clouds  services and microsoft azure add-on for splunk

https://splunkbase.splunk.com/app/3110/

https://splunkbase.splunk.com/app/3757/

Anyway you can collect the log list below with a short description, you can collect many souces via rest or eventhub depend on the log type.

• Activity data [REST] or [Event Hub]: This is basically who did what and when.  For example, if I log on to the Azure portal and create a new VM, the VM creation action is captured in an activity log.
• Resource data [REST]: This data source covers what services you use.  If you think of the activity data as "something happened", think of the resource data as "something exists".  For example, Virtual Machines, storage accounts, public IP addresses, etc. are all resources.
• Authentication data [REST] or [Event Hub]: This is pretty self-explanatory, but I will point out that you can get things like multi-factor authentication data, self-service password reset data, conditional access policy data, and a whole set of Azure Active Directory data.
• NSG flow logs [Storage account]: This source is like a network trace including source and destination IP addresses, ports, protocols, etc. For more information on this topic, check out this blog post.
• Web Application and App Insights [Storage account]: Web Application data includes web server data (hosted or shared) as well as your web application data. App Insights is APM data.
• Cost and consumption [REST]: This data source contains details on what services you are using and how much that usage costs. This data can also include VM reservation recommendations to save you money on your VM spend.
• Alerts [REST] or [Event Hub]: Both service and security alerts are available as part of the activity log.  An example of a service alert may be a degradation of a service in a region. For example, if storage services were impacted in a region you use, that alert and relevant messages would be available. To give you an example of a security alert, Microsoft may send an alert that you only have one global admin.
• Metrics [REST]: Azure makes a plethora of metrics available.  The entire list of available metrics is available from Microsoft here.