Tips & Tricks

March 15, 2016

2 Minute Read

Splunking Microsoft Azure Data

By Jason Conger

There are a lot of services in Microsoft Azure, and a lot of those services are producing machine data. Hal Rottenberg wrote a post covering several of these services and some ways to integrate Splunk with Microsoft Azure. We recently released a new cross-platform Azure add-on that consumes data for some IaaS and PaaS services. In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.

What are we collecting?

The add-on ships with three modular inputs:

Azure Diagnostics – this input collects data from an Azure Storage account that contains virtual machine diagnostic information.
Azure Website Diagnostics – this input collects server and application data for Azure Websites. This data is stored in an Azure Storage account blob storage container.
Azure Audit – this input collects audit data to give insight into who did what and when as well as events that could have an health impact on your Azure environment.

These modular inputs rely on diagnostic data written to an Azure Storage account. For more information about enabling diagnostic data for your Virtual Machines and Azure Websites, refer to this article.

How to use the Azure data

There are several prebuilt panels included in the add-on to get you started quickly:

Windows Events

Azure – top Event IDs (last 24 hours)
Azure – Security Event ID Count (last 7 days)
Azure – Application Event ID Count (last 7 days)
Azure – Event Channel Distribution

Performance

Azure – Performance – Available Counters
Azure – Performance – % Processor Time by Instance
Azure – Performance – Memory Available Bytes
Azure – Performance – Memory Pages/sec
Azure – Performance – Disk Reads/sec
Azure – Performance – Disk Write/sec
Azure – Performance – Thread Context Switches/sec

Azure Website

Azure – Website – Top Transfers by IP Address
Azure – Website – Top Transfers by HTTP Request
Azure – Website – Average Request Size
Azure – Website – Application Message Level Distribution
Azure – Website – Application Message Details

General

Count by sourcetype

What is coming next?

[UPDATE] Azure Audit logs are now part of the Splunk Add-on for Microsoft Azure.

The next integration slated to roll into this add-on is Azure audit data. This modular input will pull data from the Azure Insights Events API. The idea here is to be able to tell who did what and when.

Running Splunk in Azure

In addition to collecting data from Microsoft Azure, it is possible to quickly spin up Splunk workloads in Azure. The easiest way to do this is by using the Azure Marketplace. For more information on this, read Roy Arsan’s article about Splunk in the Azure Marketplace.

Resources

Downlaod the Azure Add-on on Splunkbase

Azure tag on answers.splunk.com

Azure tag on Splunk blogs

Correlating with Splunk IP Watchlist

Tips & Tricks 4 Min Read

High Performance syslogging for Splunk using syslog-ng – Part 1

Part 1: Implementing syslog with Splunk and three three scenarios you will be able to do so.

Tips & Tricks 2 Min Read

Steps for implementing Fraud Detection

Define use cases for fraud-categorize & prioritize; data & its threshold & algorithm rules, index data using Splunk SPL (search processing language) in realtime

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk