All Apps and Add-ons

Splunk add-on for Microsoft Cloud Service v2.1.0 - Not seeing mscs:azure:audit sourcetype

joelim
Explorer

Hi all,

I am currently having issues determining weather or not I am ingesting mscs:azure:audit sourcetype.

We were ingesting mscs:azure:audit prior to upgrading from v2.0.3 to v2.1.0 and now we are not. However, we are ingesting ms:o365:management.

We are running on Splunk Enterprise v6.5.3.1

I know the version that we are running is old but we have several dependencies that we need to test out before moving to version 3.0.0.

**Edit: The following parameters are already configured: Modular inputs, O365 account, Azure app account, Azure storage account , proxy and certificate.

Any help would be appreciated as I am currently clutching at straws.

0 Karma
1 Solution

joelim
Explorer
0 Karma

joelim
Explorer

Spoke to Splunk support; looks like there is a bug.

Workaround is documented here:

https://answers.splunk.com/answers/694725/splunk-add-on-for-microsoft-cloud-service-showing.html?chi...

0 Karma

deepashri_123
Motivator

Hey@joelim,

I think you need to configure Modular input for audit logs.
You can refer this logs:
https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureinputs2

Let me know if this helps!!

0 Karma

joelim
Explorer

@deepashri_123
Yes, I have configured the modular inputs via the app's GUI. I have also tried removing and re-creating each input but still no joy.

Other parameters configured: Inputs, Azure account and Azure storage account.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...