Splunk Add-on for Microsoft Azure

The Splunk Add-on for Microsoft Azure collects valuable diagnostic, performance, audit, and security data for your infrastructure and websites running in Microsoft Azure.

Performance and diagnostic information is collected from Azure Storage Tables and Azure Storage Blobs. Audit data is collected from the Azure Insights Events API. Network Security Group data is collect from Azure Storage Blobs. Several prebuilt panels are included with this add-on. See the "Documentation" tab for more information.

Release Notes

Welcome to the Add-on for Azure Diagnostics

This add-on is designed to collect performance, diagnostic, and audit information from Microsoft Azure. Performance and diagnostic information is collected from Azure Storage Tables and Azure Storage Blobs. Audit data is collected from the Azure Insights Events API. Network Security Group data is collected from Azure Storage Blobs.

Prerequisites

For Performance and Diagnostics:

  1. An Azure Storage Account
  2. Azure Virtual Machine(s) and/or Azure Website(s) that write diagnostic information to an Azure storage account
  3. Azure Storage Account Access Key

For Audit:

  1. An Azure Active Directory application - refer to the document titled "Azure Audit Setup Instructions.pdf" in the docs directory within the add-on for step-by-step instructions.

For Network Secuirty Groups (NSG):

  1. An Azure Storage Account
  2. Network Security Group(s) logging data to Azure Storage Blob(s)
  3. Azure Storage Account Access Key

Setup

There are 2 steps involved in setting up Splunk to consume diagnostic information from Azure:

  1. Setup Azure Virtual Machine(s) and/or Azure Website(s) to log diagnostic information to an Azure Storage Account
  2. Setup Splunk to read the diagnostic logs

Setting up Azure Virtual Machines to log diagnostic information to an Azure Storage Account

  • Log in to your Azure portal
  • Click on the "Virtual Machines" menu item
  • Select the Virtual Machine you want to configure
  • Click "Diagnostics" in the "Settings" blade
  • Select your Azure Storage Account and the items to be logged to the account
Note about WAD Metrics PT1M and PT1H tables

These two tables collect further detailed metric data aggregated to either 1 minute or 1 hour. It is not recommended to enable data collections on both of these tables as duplicate information will be logged to Splunk.

Setting up Azure Websites to log diagnostic information to an Azure Storage Account

  • Log in to your Azure portal
  • Locate your website
  • In the "Settings" blade, choose Diagnostics logs
  • Select your Azure Storage Account and the items to be logged to the account

Setting up Splunk to read Azure diagnostic logs

  • Within Splunk, click Settings -> Data inputs
  • Click the "Azure Diagnostics" input or "Azure Website Diagnostics" input
  • Click on the "New" button to create a new data input
  • Give the input a unique name
  • Supply the name of the Azure Storage account containing the log data
  • Supply the Azure Storage account access key - refer to the section below for details on how to obtain your storage account access key
  • Optional: Specify a polling interval (this interval is how often the input checks for new data)
  • Optional: Specify a starting date/time

How to obtain your Azure Storage Account access key

  • Log in to your Azure portal
  • Click "All resources" in the menu
  • Select the Storage Account that contains the diagnostic information
  • Click "Access keys" in the "Settings" blade

What Data is Collected?

The add-on currently pulls data from the following data sources:

Azure Storage Tables

  • Windows Event Logs - via WADWindowsEventLogsTable
  • Base performance counters - via WADPerformanceCountersTable
  • Metrics (1 minute aggregates) - via WADMetricsPT1M tables
  • Metrics (1 hour aggregates) - via WADMetricsPT1H
  • Infrastructure Diagnostics - via WADDiagnosticInfrastructureLogsTable

Azure Blob Tables

  • Webserver logging
  • Web application logging

Add Prebuilt Panels to Dashboards

This Add-on contains several prebuilt panels that you can add to your own custom dashboards. For more information about this, check out the Splunk documentation on dashboard panels.


3 ratings

Version 1.2.3


Community Supported

Ask a Question

Built by Jason Conger