Splunking Microsoft Azure Data
There are a lot of services in Microsoft Azure, and a lot of those services are producing machine data. Hal Rottenberg wrote a post covering several of these services and some ways to integrate Splunk with Microsoft Azure. We recently released a new cross-platform Azure add-on that consumes data for some IaaS and PaaS services. In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.
What are we collecting?
The add-on ships with three modular inputs:
- Azure Diagnostics – this input collects data from an Azure Storage account that contains virtual machine diagnostic information.
- Azure Website Diagnostics – this input collects server and application data for Azure Websites. This data is stored in an Azure Storage account blob storage container.
- Azure Audit – this input collects audit data to give insight into who did what and when as well as events that could have an health impact on your Azure environment.
These modular inputs rely on diagnostic data written to an Azure Storage account. For more information about enabling diagnostic data for your Virtual Machines and Azure Websites, refer to this article.
How to use the Azure data
There are several prebuilt panels included in the add-on to get you started quickly:
- Azure – top Event IDs (last 24 hours)
- Azure – Security Event ID Count (last 7 days)
- Azure – Application Event ID Count (last 7 days)
- Azure – Event Channel Distribution
- Azure – Performance – Available Counters
- Azure – Performance – % Processor Time by Instance
- Azure – Performance – Memory Available Bytes
- Azure – Performance – Memory Pages/sec
- Azure – Performance – Disk Reads/sec
- Azure – Performance – Disk Write/sec
- Azure – Performance – Thread Context Switches/sec
- Azure – Website – Top Transfers by IP Address
- Azure – Website – Top Transfers by HTTP Request
- Azure – Website – Average Request Size
- Azure – Website – Application Message Level Distribution
- Azure – Website – Application Message Details
- Count by sourcetype
What is coming next?
The next integration slated to roll into this add-on is Azure audit data. This modular input will pull data from the Azure Insights Events API. The idea here is to be able to tell who did what and when.
Running Splunk in Azure
In addition to collecting data from Microsoft Azure, it is possible to quickly spin up Splunk workloads in Azure. The easiest way to do this is by using the Azure Marketplace. For more information on this, read Roy Arsan’s article about Splunk in the Azure Marketplace.