Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get Logs from Azure servers to On-prem splunk?

kiran331
Builder
‎12-12-2017 08:46 AM

Hello,

What is the best way to get windows logs and linux logs from aroung 200+ servers in Azure to on-prem splunk environment, I tried the blob storage option but its not in correct format. is it better to Install universal forwarders on cloud servers and forward them to on-prem indexers. any one had similar issue?

Tags (1)
0 Karma
Reply

ppadhi01
Observer
‎03-08-2024 04:03 PM

Looking for the solution. Would you mind if you resolve this issue, getting  Azure applciaion log to On-prem Splunk

0 Karma
Reply

varadredgntn
Engager
‎12-18-2017 03:03 AM

I would recommend installing UF on the servers and forward the logs to your Splunk instance, that way you also have better control on how you want to parse the data. Using the blob storage may not give that flexibility.

0 Karma
Reply

baldwintm
Path Finder
‎12-13-2017 04:03 PM

I’ve found that the best way to get logs from servers in azure is to install the universal forwarder on the instances.

0 Karma
Reply

kiran331
Builder
‎12-14-2017 07:17 AM

are you able to manage forwarders with on-prem deployment server?

0 Karma
Reply

baldwintm
Path Finder
‎12-14-2017 07:21 AM

Yes. Assuming you have network connectivity and the hosts in Azure can reach port 8089 on the deployment server.

0 Karma
Reply

kiran331
Builder
‎12-14-2017 07:31 AM

Is it a best practice to talk to 8089 over internet with public Ip?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎12-14-2017 11:02 AM

Yep you could do this, it would just be a good idea to flip off of Splunk default certs to 3rd party or self-signed certs for both the management port (8089) and for the forwarding layer (ie. 9997)

- MattyMo
0 Karma
Reply

baldwintm
Path Finder
‎12-14-2017 07:43 AM

That's a good question.
It's https, so it would be encrypted, but then getting the data back to the indexers would be a little interesting.

I'm not sure I have a good answer for you

0 Karma
Reply

adonio
Ultra Champion
‎12-12-2017 09:48 AM

hello @kiran331,

are you using the app for mscs https://splunkbase.splunk.com/app/3110/#/overview
did you configure the Azure modular input?

0 Karma
Reply

kiran331
Builder
‎12-12-2017 09:50 AM

Yes, I'm getting the Azure audit logs and resource logs, I'm looking for security, system and application logs from the windows servers in azure

0 Karma
Reply

adonio
Ultra Champion
‎12-12-2017 09:57 AM

looks like you are on the right track,
read here:
https://www.splunk.com/blog/2016/03/15/splunking-microsoft-azure-data.html
did you enable the correct audit rules on your azure account?
check out these links: (also directly from article above)
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-...
https://msdn.microsoft.com/en-us/library/azure/dn931934.aspx

hope it helps

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎12-13-2017 06:14 AM

Hey Kiran!

I will be working with the MS Azure team shortly after the new year to ensure that Splunking Azure gets the first class treatment like we have in AWS! Once I have met with them I will be sure to check back with you. Until then, let us know what you find!

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...