Azure Kubernetes Service (AKS) - log ingestion wit...

edoardo_vicendo · ‎02-05-2024

Hi,

I am trying to understand the best/cost effective approach to ingest logs from Azure AKS in Splunk Enterprise with Enterprise Security.

The logs we have to collect are mainly for security purposes.

Here the options I have found:

Use the "Splunk OpenTelemetry Collector for Kubernetes"

https://docs.splunk.com/Documentation/SVA/current/Architectures/OTelKubernetes

Use Cloud facilities to export the logs to Storage Accounts
Use Cloud facilities to export the logs to Event Hubs
Use Cloud facilities to send syslog to a Log Analytics workspace

https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-syslog

references:

https://learn.microsoft.com/en-us/azure/azure-monitor/containers/monitor-kubernetes

https://learn.microsoft.com/en-us/azure/aks/monitor-aks

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal

https://learn.microsoft.com/en-us/azure/architecture/aws-professional/eks-to-aks/monitoring

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview

Is there a way to use Cloud facilities to stream the logs directly to Splunk so that we can avoid deploying the OTEL collector?

Otherwise, if we must save the logs first to a Workspace/Storage Accounts/Event Hubs and export them with Splunk via API calls with "Splunk Add-on for Microsoft Cloud Services" or with "Microsoft Azure Add-on for Splunk", which is the best/cost effective approach?

Thanks a lot,

Edoardo

Azure Kubernetes Service (AKS) - log ingestion with Splunk

heavy forwarder

HTTP Event Collector

monitor

syslog

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases