Installation

Integrate Azure with Splunk- Installing Universal Forwarder(UF) on the VMs or using the Splunk Add-on for Microsoft Cloud Services?

Koko12345678
Explorer
  1. what are the benefits of using each one of the approaches (Universal Forwarder(UF) on the VMs over using the Splunk Add-on for Microsoft Cloud Services)?
  2. Which one of them is easier to install/configure? and why?
  3. Assuming I already using UF on-prem and I used to it. does it make sense to keep working with it also with Azure ? or Splunk Add-on for Microsoft Cloud Services will be more beneficial for me? and why?

Thanks

Tags (1)
0 Karma

jconger
Splunk Employee
Splunk Employee

The answer to this question really depends on what you want to collect. If you are looking at VM data, you have 3 main options:

  1. UF on the VM - collects performance data, event logs, and anything else you tell it to collect via inputs.conf. This option gives you the most flexibility, but requires you to install the UF or make the UF part of your base image.
  2. Configure the VM in Azure to send logs to a storage account and use the Splunk Add-on for Microsoft Cloud Services (MSCS) to read the data deposited in the account. This will get you performance and event logs.
  3. Use the Azure Monitor Add-on for Splunk to collect metric data - no storage account needed.

When you get beyond VMs, most services in Azure give you the option to send diagnostic logs to storage accounts and/or Event Hubs. If you send data to a storage account, the MSCS add-on can collect that data. If you send data to an Event Hub, the Azure Monitor Add-on can collect that data.

Koko12345678
Explorer

Hi thambisetty,
Thank you for your response, correct me if I'm wrong, this Add-on will integrate my azure log analytics workspace with my on-prem splunk, which means all data have been collected in azure log analytics workspace( host data e.g. event logs/performance counter and platform data e.g. Audit logs) will be transferred to my on-prem Splunk (for example :to Heavy fowareder)? although this sounds like a great add-on, I will want to use something more stable, without parsing problems.

I still don't understand the difference between the 2 approaches I mention above,I would appreciate if you could answer my questions above, so I can have a clear picture about my options.

Thanks

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Hi,

There is TA - https://splunkbase.splunk.com/app/3764/ available in splunk base to collect logs from Azure since Microsoft is working on to change REST Apis which are being used in this TA. TA has got some errors while parsing the data. for more info on this TA please find my comment in the below given link.
Check this https://answers.splunk.com/answers/655954/why-am-i-unable-to-configure-microsoft-oms-modular.html.

Azure has OMS workspace to collect and store data from all VMs and Azure has log analytics platform to analyze data and its kind of searching tool where you can create schedule searches and get produced results to splunk if you would like to reduce Splunk license.

————————————
If this helps, give a like below.
0 Karma

Koko12345678
Explorer

Hi thambisetty,
Thank you for your response, correct me if I'm wrong, this Add-on will integrate my azure log analytics workspace with my on-prem splunk, which means all data have been collected in azure log analytics workspace( host data e.g. event logs/performance counter and platform data e.g. Audit logs) will be transferred to my on-prem Splunk (for example :to Heavy fowareder)? although this sounds like a great add-on, I will want to use something more stable, without parsing problems.

I still don't understand the difference between the 2 approaches I mention above,I would appreciate if you could answer my questions above, so I can have a clear picture about my options.

Thanks

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Firstly,

What you have asked is right, this TA is supposed to collect logs from log analytics.

But,The TA is not working as expected.

We need to make two calls to azure This is what TA is doing

one is to authenticate and get access token(expires in 3600 secs) for the right resource(azure has multiple resuources like api.loganalytics.io,management.azure.com.etc)using app details which we would get from azure portal.

Another one is to collect actual data and this is supposed to be api.loganalytics.io but TA is making call to wrong resource i.e management.azure.com

This I have fixed.

And then found parsing issue as I posted in the link which I shared here in my preovious comment.

Answer for you questions:

Using API we can get all the type of data which you asked, but need to consider the amount of data and number of calls required to get all events/performance metrics in real time.

Hope this answers your queries.

————————————
If this helps, give a like below.
0 Karma

Koko12345678
Explorer

thank you again, appreciate your answer, but my question is not about the add-on you mention (integrating log analytics with splunk), it's about the difference between Installing Universal Forwarder(UF) on the VMs to collect vm data ,or using the Splunk Add-on for Microsoft Cloud Services.
these are my questions:

  1. what are the benefits of using each one of the approaches (Universal Forwarder(UF) on the VMs over using the Splunk Add-on for Microsoft Cloud Services)?

  2. Which one of them is easier to install/configure? and why?

  3. Assuming I already using UF on-prem and I used to it. does it make sense to keep working with it also with Azure ? or Splunk Add-on for Microsoft Cloud Services will be more beneficial for me? and why?

thanks 🙂

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...