I have some questions regarding Splunk I am new at this.
The first one is: is The add on for Azure Cloud available on SPlunk On Prem? if no How can we do it ?
The second question when Splunk collect Custom Logs on an Azure Storage Blob does he copy them or just Read the Logs
and finally Can We send alerts to the Splunk API How can we do it Thank you.
There are several add-ons that can read data from Microsoft Azure and Office 365, I'll summarize those here:
The Splunk Add-on for Microsoft Cloud Services will collect data from Azure Storage Accounts (table and blob), enumerate Azure resources (like VMs, Virtual Networks, NICs, etc.), collect Azure Audit data (who did what and when), and Office 365 activity data.
The Azure Monitor Add-on for Splunk will read Azure Monitor data like Metrics, Diagnostics Logs, and Activity Logs via Event Hubs.
The Azure Active Directory Reporting Add-on will read Azure Active Directory Sign-in data and AD Audit data.
The Microsoft Office 365 Reporting Add-on will get message trace data (email from/to, subject, size, etc.)
All of these add-ons are free and the data collected can be sent to Splunk running on-premises, Splunk Cloud, or Splunk running in a cloud somewhere else (like Azure, AWS, or GCP).
When Splunk collects data from an Azure Storage Blob, the add-on just reads the data. Specifically, the bytes are streamed as text from the blob to Splunk.
Which alerts are you referring to? There are multiple ways to send alert data to Splunk or have Splunk generate alerts and take action.
All you need is, list of Azure subscriptions IDs, and the API should configured on Azure AD console.
Here are the instructions:
Configure an Active Directory Application in Azure AD for the Splunk Add-on for Microsoft Cloud Services
In order to gather data from the Microsoft Office 365 Management APIs and Windows Azure Service Management APIs, you must first create an active directory application in Azure AD. This application securely authenticates the Splunk Add-on for Microsoft Cloud Services via the OAuth2 protocol, so that it can access and gather the data according to the services and permission levels that you specify.
Obtain a redirect URL for your application
Note: This is an optional procedure, you only need to perform this step if you need to configure the Microsoft Office365 account in Splunk Add-on for Microsoft Cloud Service
As part of the registration of your application in Azure AD, you need to supply a redirect URL that Azure can use to authenticate the Splunk Add-on for Microsoft Cloud Services. To determine what this URL should be:
Navigate to the Splunk Add-on for Microsoft Cloud Services on the Splunk platform node that is responsible for collecting data for this source.
Open the Configuration tab, then click Add Account.
The window displays a Redirect URL for this Splunk platform instance. Copy it to your clipboard.
If your data collection node does not have a Splunk Web UI, use http:///en-US/app/Splunk_TA_microsoft-cloudservices/redirect as your redirect URL.
Create an application in Microsoft Azure AD
Follow the instructions in the Microsoft documentation to create an active directory application: Use portal to create an Azure Active Directory application and service principal that can access resources for either your Azure portal or Azure Government portal.
When prompted, select or enter the following parameters.
Sign-on URL and App ID URI: Required for Microsoft Office 365 account.
These are irrelevant for the Splunk Add-on for Microsoft Cloud Services. Enter any valid URIs.
Reply URL: Required for Microsoft Office 365 account.
Enter the redirect URL from the step Obtain a redirect URL for your application.
Client ID: Required for Microsoft Office 365 and Azure App account.
Copy this value. You need this value and a valid secret key to connect to your account from the add-on.
Key: Required for Microsoft Office 365 and Azure App account.
Copy this value to a secure location as soon as the Azure AD admin console displays it.
X.509 certificate: Required for Microsoft Office 365 account.
Skip this section of the instructions for now. You can add this later, following the instructions in Configure a certificate and private key to enable service-to-service calls for the Splunk Add-on for Microsoft Cloud Services.
Tenant ID: Required for Azure App account. Copy this value for the future use.
Add permissions to your Active Directory Applications
Application permissions to access Office 365 Management APIs
In order to get data from Office 365 management APIs, you need to add the Office 365 Management APIs to the permissions to other applications list. Select all the required permissions listed under both Application Permissions and Delegated Permissions:
Read activity reports for your organization
Read activity data for your organization
Read service health information for your organization
For detailed instructions, see the permissions your app requires to access the Office 365 Management APIs on MSDN.
Office 365 tenant admin consent
Now that the add-on is configured with the permissions it needs to use the Office 365 Management APIs, a tenant admin must explicitly grant the add-on these permissions in order to access their tenant's data by using the APIs. To grant consent, the tenant admin must log in to Azure AD, using the following specially constructed URL, where they can review your add-on's requested permissions. This step is not required when using the APIs to access data from your own tenant.
For detailed information, see 365 tenant admin consent on MSDN.
Application permissions to access Windows Azure Service Management APIs
Select Access Azure Service Management as organization under Delegated Permissions.
Grant the Active Directory Application Read Access
Note: This is an optional procedure, you only need to perform this step if you need to configure the Azure App account in Splunk Add-on for Microsoft Cloud Service.
After creating the Active Directory Application, login to either the Azure portal or the Azure Government portal to grant this application the read access to Microsoft Cloud Service (You must have a Premium P1 Active Directory level edition or higher to perform this operation). See Use portal to create an Azure Active Directory application and service principal that can access resources for more information.