Getting Data In

how to get Logs from Azure servers to On-prem splunk?

kiran331
Builder

Hello,

What is the best way to get windows logs and linux logs from aroung 200+ servers in Azure to on-prem splunk environment, I tried the blob storage option but its not in correct format. is it better to Install universal forwarders on cloud servers and forward them to on-prem indexers. any one had similar issue?

Tags (1)
0 Karma

ppadhi01
Observer

Looking for the solution. Would you mind if you resolve this issue, getting  Azure applciaion log to On-prem Splunk

0 Karma

varadredgntn
Engager

I would recommend installing UF on the servers and forward the logs to your Splunk instance, that way you also have better control on how you want to parse the data. Using the blob storage may not give that flexibility.

0 Karma

baldwintm
Path Finder

I’ve found that the best way to get logs from servers in azure is to install the universal forwarder on the instances.

0 Karma

kiran331
Builder

are you able to manage forwarders with on-prem deployment server?

0 Karma

baldwintm
Path Finder

Yes. Assuming you have network connectivity and the hosts in Azure can reach port 8089 on the deployment server.

0 Karma

kiran331
Builder

Is it a best practice to talk to 8089 over internet with public Ip?

0 Karma

mattymo
Splunk Employee
Splunk Employee

Yep you could do this, it would just be a good idea to flip off of Splunk default certs to 3rd party or self-signed certs for both the management port (8089) and for the forwarding layer (ie. 9997)

- MattyMo
0 Karma

baldwintm
Path Finder

That's a good question.
It's https, so it would be encrypted, but then getting the data back to the indexers would be a little interesting.

I'm not sure I have a good answer for you

0 Karma

adonio
Ultra Champion

hello @kiran331,

are you using the app for mscs https://splunkbase.splunk.com/app/3110/#/overview
did you configure the Azure modular input?

0 Karma

kiran331
Builder

Yes, I'm getting the Azure audit logs and resource logs, I'm looking for security, system and application logs from the windows servers in azure

0 Karma

adonio
Ultra Champion

looks like you are on the right track,
read here:
https://www.splunk.com/blog/2016/03/15/splunking-microsoft-azure-data.html
did you enable the correct audit rules on your azure account?
check out these links: (also directly from article above)
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-...
https://msdn.microsoft.com/en-us/library/azure/dn931934.aspx

hope it helps

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey Kiran!

I will be working with the MS Azure team shortly after the new year to ensure that Splunking Azure gets the first class treatment like we have in AWS! Once I have met with them I will be sure to check back with you. Until then, let us know what you find!

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...