Configuration of Splunk
(version 1.2.3)
If you operate in a cloud other than Azure Public Cloud, you can select your cloud by editing BOTH of azure_activity_log.sh AND azure_diagnostic_logs.sh, which are located in TA-Azure_Monitor/bin. There are comments in the files that direct you on how to make the edits.
At this time, the available clouds are: Azure Public Cloud, Azure US Government, Azure China Cloud, Azure Germany Cloud.
To create a new instance of one of the data inputs, in Splunk Web go to Settings / Data Inputs. Find the data input that you want in the list:
- Azure Monitor Activity Log
- Azure Monitor Diagnostic Logs
For diagnostic logs you must also tailor hubs.json as detailed here. - Azure Monitor Metrics
Drill in and click the "Add New" button, or click "Add New" on the far right in the list.
The parameters are:
NOTE: The Metrics data input is the only one that uses subscriptionID. The Activity Logs and Diagnostic Logs are the only ones that use an event hub. The rest of the fields are shared by both.
| Parameter Name | Value | Notes |
|---|---|---|
| name | string | I use the name of the monitoring target - in my case the name of my subscription |
| SPNTenantID | <guid> | the tenant id of your Azure AD tenant |
| SPNApplicationID | <guid> | the application id of your service principal |
| SPNApplicationKey | <password> | the secret key to the service principal |
| eventHubNamespace | string | your Event Hub namespace name |
| subscriptionId | <guid> | your Azure subscription ID |
| vaultName | string | the name of your Key Vault |
| secretName | string | the name of the secret containing the "real work" credentials |
| secretVersion | string | the version number of the "real work" secret |
NOTE: When you create an Event Hub, you're really creating an Event Hub Namespace. Within that Event Hub Namespace a number of Event Hubs will be created as your resources emit logs. So, the term "Event Hub" is overloaded. The name of your Event Hub Namespace is the name you used when you created your "Event Hub". Confused?
Example of data input parameters form:
Here's what it looks like getting the key vault secret's version:
And here's a sample of a filled in data input configuration panel:
Found in TA-Azure_Monitor/bin/app
** impacts diagnostic logs only **
This file contains a list of the log categories for diagnostic logs that are supported by Azure Monitor. Each one is paired with a sourcetype. Feel free to adjust the sourcetypes to your own needs. If you delete a line, the sourcetype for that log category will be the default sourcetype that you entered in the data input settings.
** with regards to Activity Log sourcetype **
(version 1.2.3)
Activity Log messages are given distinctive sourcetype by the code as follows:
| Event Type | sourcetype |
|---|---|
| Administrative | amal:administrative |
| Service Health | amal:serviceHealth |
| Resource Health | amal:resourceHealth |
| Security | amal:security |
| Azure Security Center Recommendation | amal:ascRecommendation |
| Azure Security Center Alert | amal:ascAlert |
Found in TA-Azure_Monitor/bin/app
This file contains a list of the event hubs used by diagnostic logs, which equates to a list of the log categories available for resources that emit diagnostic logs. This file must be be edited for a new installation. The value associated with each hub (key) is how the program looks up the ARM resource id in messages coming from any particular Azure resource. In all but one case, the value is "resourceId". The one exceptional case is the hub for Workflow Runtime, the default hub name of which is "insights-logs-workflowruntime".
{
"insights-logs-diagnostics": "resourceId",
"insights-logs-auditlogs": "resourceId"
}
Do not list hubs in hubs.json that do not actually exist in the hub namespace. To see a list of hubs in the hub namespace, go to the Event Hub blade in the Azure portal. On the left menu you'll see "Event Hubs". Also do not put "insights-operational-logs" in hubs.json. This is the non-configurable name of the hub associated with Activity Logs.
Found in TA-Azure_Monitor/bin
** impacts metrics only **
This file contains a list of resource types that emit metrics and the sourcetype for each. Add lines as needed if you want distinct sourcetypes for your Azure resource types. Or delete lines if you want to use the default you entered in data input settings. This has no impact on logs; only the sourcetypes for metrics are impacted.