Hi,
I came across multiple add-ons to collect Microsoft Azure AD logs. Which one is the best to collect the logs? Also is there a subscription needed on Azure end? If yes, is there a way to do it without subscription?
Please note: we have Splunk ES and HF
Regards
Vishakha
Azure subscription is like an AWS account. For enterprise usage, you would need to have a paid subscription. However, to test/trial, you can sign for a free Azure subscription and stand-up a compute (VMs) and collect logs from them to splunk.
The use of add-on depends on your use case and architectural approach to collect the logs - for e.g. if you want to collect Audit logs [ similar to aws cloudtrail ], you can use https://splunkbase.splunk.com/app/3110
You can also take data directly from the EventHub using suitable TA's. Pls refer to some guidance on the Splunk Blog - https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...
Hi,
The inputs for "Splunk Add-on for Microsoft Cloud Services" are configured on the subscription-level. In other words, if you have +100 subscriptions in Azure, you have to create +100 different inputs in the add-on. Is this the right way to go?
Best regards,
Ahmad
Hi Ahmad.... we’re u able to figure out on how to ingest from Azure when having about 100 subscriptions.
I am looking for collecting security logs for security analysis. So basically audit logs. We are not concerned about azure system logs itself. Just activity logs
you can then use 3110 add-on.