Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk and Azure SQL audit via Event Hub

zippo706
Explorer
‎03-17-2021 06:03 PM

I'm not sure how to even troubleshoot this.

A few weeks ago, we started a dropoff in events into splunk.   We are sending Azure SQL Server audit logs via event hub picked up by Azure Add-on for Splunk.   our traffic has NOT changed.   Our HF has not changed.

I can't see my activity anymore (a month ago i saw everything I did).   Now, i have no visibility to my traffic.   I am seeing traffic from web servers and some other users, but not sure i trust it now.   There has been a drop off in events.

What can I do to troubleshoot what is going on here?  I can turn on verbose logging, but since i can't throttle or specify what is getting logged (server log, not db log), it would be 000s of messages in a very heavily used database.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

masonwillinger
Explorer
‎04-14-2021 11:07 AM

Azure Event Hub connectivity was recently deprecated in the Azure Add-on for Splunk. That functionality has been moved to the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/). Not saying there isn't another issue causing the drop-off, but it might be worth investigating moving that Event Hub connection to the other add-on.

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...