Re: Splunk and Azure SQL audit via Event Hub

zippo706 · ‎03-17-2021

I'm not sure how to even troubleshoot this.

A few weeks ago, we started a dropoff in events into splunk. We are sending Azure SQL Server audit logs via event hub picked up by Azure Add-on for Splunk. our traffic has NOT changed. Our HF has not changed.

I can't see my activity anymore (a month ago i saw everything I did). Now, i have no visibility to my traffic. I am seeing traffic from web servers and some other users, but not sure i trust it now. There has been a drop off in events.

What can I do to troubleshoot what is going on here? I can turn on verbose logging, but since i can't throttle or specify what is getting logged (server log, not db log), it would be 000s of messages in a very heavily used database.

masonwillinger · ‎04-14-2021

Azure Event Hub connectivity was recently deprecated in the Azure Add-on for Splunk. That functionality has been moved to the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/). Not saying there isn't another issue causing the drop-off, but it might be worth investigating moving that Event Hub connection to the other add-on.

Splunk and Azure SQL audit via Event Hub

search job inspector

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases