Send Azure logs to Splunk Log Observer ๐
You can send logs from Azure to Splunk Log Observer by deploying a function that prepares and sends log data to the Splunk HTTP Event Collector (HEC) endpoint. To get started, follow these instructions.
Prerequisites ๐
To send logs from Azure to Splunk Observability Cloud, you need the following:
Access to Log Observer in Observability Cloud. See Set up Log Observer.
An ingest token in your organization. See Create and manage organization access tokens using Splunk Observability Cloud.
An Event Hub namespace in Azure to use for logs forwarding. See Event Hub in the Azure documentation.
Create an event hub in Azure ๐
Azure uses diagnostic settings to send data to Event Hubs. Each resource you want to monitor must have a diagnostic setting. Follow these steps to configure an event hub for each use case:
In Azure, go to Event Hubs and select Create.
Select your Event Hub namespace.
Set the name of the event hub to one of the following values depending on which logs you want to forward:
Event Hub name:
insights-activity-logsNote
If you set a different hub name, update the function application settings to use the right name.
Event Hub name:
insights-logs-aadNote
If you set a different hub name, update the function application settings to use the right name.
Event Hub name:
insights-logs-diagNote
If you set a different hub name, update the function application settings to use the right name.
Event Hub name:
insights-metrics-pt1mNote
If you set a different hub name, update the function application settings to use the right name.
Set the number of partitions. Use at least 4 partitions.
Select Create.
Configure diagnostic settings to send logs ๐
After youโve created the event hub, follow these steps to activate diagnostic settings:
In Azure, select the resource and go to Monitoring > Diagnostic settings.
Create a new setting or edit an existing setting.
Select the events you want to log.
Select Stream to an event hub and select the event hub youโve created.
Select Save.
Set up the forwarding function in Azure ๐
To deploy the Azure function, click the following button:
In the Function App Settings section, enter the following details:
Setting |
Value |
|---|---|
Event Hub Namespace |
The namespace that contains the event hub youโve created. |
Splunk HEC Endpoint |
|
Splunk HEC Token |
Your Observability Cloud ingest token. See Create and manage organization access tokens using Splunk Observability Cloud. |
Note
Note about realms
A realm is a self-contained deployment of Splunk Observability Cloud in which your organization is hosted. Different realms have different API endpoints. For example, the endpoint for sending data in the us1 realm is https://ingest.us1.signalfx.com, while the endpoint for sending data in the eu0 realm is
https://ingest.eu0.signalfx.com.
When you see a placeholder realm name in the documentation, such as <YOUR_REALM>, replace it with your actual realm name. To find your realm name, open the left navigation menu in Observability Cloud, select , and select your username. The realm name appears in the Organizations section. If you donโt include the realm name when specifying an endpoint, Observability Cloud defaults to the us0 realm.
Security considerations ๐
Azure encrypts settings by default. For increased security, you can transfer one or more of settings to a Key Vault. See the Key Vault documentation in the Azure docs for more information.
Additional resources ๐
For examples and additional information, see https://github.com/splunk/azure-functions-splunk/tree/master/event-hubs-hec on GitHub.