Getting Data In

Log Analytics logs from Azure

rayar
Contributor

What is the best way to import Log Analytics logs from Azure to Splunk  ?

is there anyway to do it without using Even Hub  ? 

 

we are using Splunk Enterprise Version:7.3.4

we also have Heavy forwarder Splunk Enterprise Version:8.1

Labels (1)
0 Karma

vihar254
Loves-to-Learn Lots

Hi @rayar ,

Even I am trying to collect the logs from Log Analytics to Splunk. If you have already done it. Please guide me how to proceed further.

0 Karma

jaxjohnny2000
Builder

I have not seen a reliable way to pull in Log Analytics workspace data into splunk

https://splunkbase.splunk.com/app/4127/ - no longer functions on 8.2.x - developer no longer updating the add-on.  This was a great add-on, worked for 2 years.   now it's gone

 

https://splunkbase.splunk.com/app/4847/ - This will pull in the data, but it's a mess.  There are no field extractions, and it pulls in data you do not need like table structure, and row structure.  But it does not map them together or extract a single field.  There is an option for CSV or JSON, both do the same thing, just brings in a pile of data. 

Splunk has nothing for this.  

0 Karma

aasabatini
Motivator

Hi @rayar 

The best way to collect data from azure is: the splunk add-on for microsoft clouds  services and microsoft azure add-on for splunk

https://splunkbase.splunk.com/app/3110/

https://splunkbase.splunk.com/app/3757/

Anyway you can collect the log list below with a short description, you can collect many souces via rest or eventhub depend on the log type.

  • Activity data [REST] or [Event Hub]: This is basically who did what and when.  For example, if I log on to the Azure portal and create a new VM, the VM creation action is captured in an activity log.
  • Resource data [REST]: This data source covers what services you use.  If you think of the activity data as "something happened", think of the resource data as "something exists".  For example, Virtual Machines, storage accounts, public IP addresses, etc. are all resources.
  • Authentication data [REST] or [Event Hub]: This is pretty self-explanatory, but I will point out that you can get things like multi-factor authentication data, self-service password reset data, conditional access policy data, and a whole set of Azure Active Directory data.
  • NSG flow logs [Storage account]: This source is like a network trace including source and destination IP addresses, ports, protocols, etc. For more information on this topic, check out this blog post.
  • Web Application and App Insights [Storage account]: Web Application data includes web server data (hosted or shared) as well as your web application data. App Insights is APM data.
  • Cost and consumption [REST]: This data source contains details on what services you are using and how much that usage costs. This data can also include VM reservation recommendations to save you money on your VM spend.
  • Alerts [REST] or [Event Hub]: Both service and security alerts are available as part of the activity log.  An example of a service alert may be a degradation of a service in a region. For example, if storage services were impacted in a region you use, that alert and relevant messages would be available. To give you an example of a security alert, Microsoft may send an alert that you only have one global admin.
  • Metrics [REST]: Azure makes a plethora of metrics available.  The entire list of available metrics is available from Microsoft here.
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (2)

jaxjohnny2000
Builder

Log Analytics is not mentioned in the above listing unfortunately

0 Karma

rayar
Contributor

thanks , we have both APPs installed , what type of input we should use for LogAnalytics ?

0 Karma

aasabatini
Motivator

Hi @rayar 

please start to see this guide

https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-microsoft-azure-monitor-data-part-1-azur...

Also you can read this guide to urderstand all of kind of logs

https://www.splunk.com/en_us/blog/tips-and-tricks/getting-microsoft-azure-data-into-splunk.html

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-...

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

jaxjohnny2000
Builder

Log Analytics is not mentioned in this article unfortunately

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...