Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to get Logs from Azure servers to On-prem splu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to get Logs from Azure servers to On-prem splunk?
kiran331
Builder
12-12-2017
08:46 AM
Hello,
What is the best way to get windows logs and linux logs from aroung 200+ servers in Azure to on-prem splunk environment, I tried the blob storage option but its not in correct format. is it better to Install universal forwarders on cloud servers and forward them to on-prem indexers. any one had similar issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppadhi01
Observer
03-08-2024
04:03 PM
Looking for the solution. Would you mind if you resolve this issue, getting Azure applciaion log to On-prem Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
varadredgntn
Engager
12-18-2017
03:03 AM
I would recommend installing UF on the servers and forward the logs to your Splunk instance, that way you also have better control on how you want to parse the data. Using the blob storage may not give that flexibility.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
baldwintm
Path Finder
12-13-2017
04:03 PM
I’ve found that the best way to get logs from servers in azure is to install the universal forwarder on the instances.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331
Builder
12-14-2017
07:17 AM
are you able to manage forwarders with on-prem deployment server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
baldwintm
Path Finder
12-14-2017
07:21 AM
Yes. Assuming you have network connectivity and the hosts in Azure can reach port 8089 on the deployment server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331
Builder
12-14-2017
07:31 AM
Is it a best practice to talk to 8089 over internet with public Ip?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mattymo
Splunk Employee
12-14-2017
11:02 AM
Yep you could do this, it would just be a good idea to flip off of Splunk default certs to 3rd party or self-signed certs for both the management port (8089) and for the forwarding layer (ie. 9997)
- MattyMo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
baldwintm
Path Finder
12-14-2017
07:43 AM
That's a good question.
It's https, so it would be encrypted, but then getting the data back to the indexers would be a little interesting.
I'm not sure I have a good answer for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
12-12-2017
09:48 AM
hello @kiran331,
are you using the app for mscs https://splunkbase.splunk.com/app/3110/#/overview
did you configure the Azure modular input?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331
Builder
12-12-2017
09:50 AM
Yes, I'm getting the Azure audit logs and resource logs, I'm looking for security, system and application logs from the windows servers in azure
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
12-12-2017
09:57 AM
looks like you are on the right track,
read here:
https://www.splunk.com/blog/2016/03/15/splunking-microsoft-azure-data.html
did you enable the correct audit rules on your azure account?
check out these links: (also directly from article above)
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-...
https://msdn.microsoft.com/en-us/library/azure/dn931934.aspx
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mattymo
Splunk Employee
12-13-2017
06:14 AM
Hey Kiran!
I will be working with the MS Azure team shortly after the new year to ensure that Splunking Azure gets the first class treatment like we have in AWS! Once I have met with them I will be sure to check back with you. Until then, let us know what you find!
- MattyMo
Get Updates on the Splunk Community!
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
The Latest Cisco Integrations With Splunk Platform!
Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
