Thanks
The answer to this question really depends on what you want to collect. If you are looking at VM data, you have 3 main options:
When you get beyond VMs, most services in Azure give you the option to send diagnostic logs to storage accounts and/or Event Hubs. If you send data to a storage account, the MSCS add-on can collect that data. If you send data to an Event Hub, the Azure Monitor Add-on can collect that data.
Hi thambisetty,
Thank you for your response, correct me if I'm wrong, this Add-on will integrate my azure log analytics workspace with my on-prem splunk, which means all data have been collected in azure log analytics workspace( host data e.g. event logs/performance counter and platform data e.g. Audit logs) will be transferred to my on-prem Splunk (for example :to Heavy fowareder)? although this sounds like a great add-on, I will want to use something more stable, without parsing problems.
I still don't understand the difference between the 2 approaches I mention above,I would appreciate if you could answer my questions above, so I can have a clear picture about my options.
Thanks
Hi,
There is TA - https://splunkbase.splunk.com/app/3764/ available in splunk base to collect logs from Azure since Microsoft is working on to change REST Apis which are being used in this TA. TA has got some errors while parsing the data. for more info on this TA please find my comment in the below given link.
Check this https://answers.splunk.com/answers/655954/why-am-i-unable-to-configure-microsoft-oms-modular.html.
Azure has OMS workspace to collect and store data from all VMs and Azure has log analytics platform to analyze data and its kind of searching tool where you can create schedule searches and get produced results to splunk if you would like to reduce Splunk license.
Hi thambisetty,
Thank you for your response, correct me if I'm wrong, this Add-on will integrate my azure log analytics workspace with my on-prem splunk, which means all data have been collected in azure log analytics workspace( host data e.g. event logs/performance counter and platform data e.g. Audit logs) will be transferred to my on-prem Splunk (for example :to Heavy fowareder)? although this sounds like a great add-on, I will want to use something more stable, without parsing problems.
I still don't understand the difference between the 2 approaches I mention above,I would appreciate if you could answer my questions above, so I can have a clear picture about my options.
Thanks
Firstly,
What you have asked is right, this TA is supposed to collect logs from log analytics.
But,The TA is not working as expected.
We need to make two calls to azure This is what TA is doing
one is to authenticate and get access token(expires in 3600 secs) for the right resource(azure has multiple resuources like api.loganalytics.io,management.azure.com.etc)using app details which we would get from azure portal.
Another one is to collect actual data and this is supposed to be api.loganalytics.io but TA is making call to wrong resource i.e management.azure.com
This I have fixed.
And then found parsing issue as I posted in the link which I shared here in my preovious comment.
Answer for you questions:
Using API we can get all the type of data which you asked, but need to consider the amount of data and number of calls required to get all events/performance metrics in real time.
Hope this answers your queries.
thank you again, appreciate your answer, but my question is not about the add-on you mention (integrating log analytics with splunk), it's about the difference between Installing Universal Forwarder(UF) on the VMs to collect vm data ,or using the Splunk Add-on for Microsoft Cloud Services.
these are my questions:
what are the benefits of using each one of the approaches (Universal Forwarder(UF) on the VMs over using the Splunk Add-on for Microsoft Cloud Services)?
Which one of them is easier to install/configure? and why?
Assuming I already using UF on-prem and I used to it. does it make sense to keep working with it also with Azure ? or Splunk Add-on for Microsoft Cloud Services will be more beneficial for me? and why?
thanks 🙂