Docs » Integrations Guide » Monitor Microsoft Azure

Monitor Microsoft Azure πŸ”—

You can easily monitor Microsoft Azure in Splunk Infrastructure Monitoring. If you haven’t already done so, follow the instructions below to connect Infrastructure Monitoring to Microsoft Azure.

Connect to Microsoft Azure πŸ”—

To connect Splunk Infrastructure Monitoring to Azure, do the following: 1. In your Microsoft Azure portal, create an Azure application (Part 1 - Create an Azure Active Directory application)

  1. Specify subscriptions to monitor (Part 2 - Specifying and setting permissions for subscriptions)
  2. In Infrastructure Monitoring, you set up the Azure integration and specify services and subscriptions to monitor (Part 3 - Complete the configuration in Splunk Infrastructure Monitoring).

You must be an administrator of your Infrastructure Monitoring account to connect Infrastructure Monitoring to Azure.

Part 1 - Create an Azure Active Directory application πŸ”—

Important

Before continuing, make sure you have sufficient permissions to create an Azure Active Directory application, as described here. The following steps won’t work correctly if required permissions are not set.

  1. In a new tab, login to your Azure portal.

  2. Navigate to Azure Active Directory and select App registrations. Then click New registration at the top of the page.

  3. In the next blade, enter the name, indicate access, select Web, enter sign-on URL, and then click Register. Infrastructure Monitoring does not use this information, but it is required to create an app on Azure.

    ../_images/azure-register-on-app.png
  4. A new blade shows summary information about the application. Copy the Display name and each ID and save them for later use.

  5. Click Certificates & settings. In this scenario, the public key is referred to as a Certificate and the password is called a client secret.

  6. Create a client secret by providing a description, and set the duration to Never expires. Click Save.

    ../_images/azure-add-client-secret.png
  7. The client secret displays; copy it and save it for later use.

    ../_images/azure-new-client-secret2.png

Part 2 - Specifying and setting permissions for subscriptions πŸ”—

  1. In the Azure portal, navigate to All services, click Everything, and then click Subscriptions.

  2. Find a subscription you want to monitor, and click on the subscription name.

  3. Navigate to Access control (IAM), click Add, then select Add role assignment.

    ../_images/azure-iam-add.png
  4. Set the Role to Monitoring Reader, assign an access, and then select the managed application name. Click Save.

Repeat the above steps for each subscription you want to monitor.

Part 3 - Complete the configuration in Splunk Infrastructure Monitoring πŸ”—

After you have created an Active Directory app and specified the subscriptions you want to monitor, you are ready to integrate Azure in Splunk Infrastructure Monitoring.

  1. Open Infrastructure Monitoring and click Integrations to open the Integrations page. Look for the Microsoft Azure tile and click it.
  2. Display the Setup tab, then click New Integration.
    • Enter a name for this integration.
    • Enter the Tenant ID (Directory ID), App ID, and Secret Key (Client secret) you saved from Part 1 - Create an Azure Active Directory application.
    • Select the services and subscriptions you want to monitor.
    • You can set the poll rate to 5 minutes or 1 minute.
  3. Click Save to finish implementing this integration. Infrastructure Monitoring attempts to validate your integration.

When you see the Validated! message, Splunk Infrastructure Monitoring begins receiving metrics from Azure for the specified subscription(s) and service(s).

If you installed this integration while going through the Quick Start guide, continue by installing the Smart Agent, which monitors host infrastructure metrics.

Azure integration overview πŸ”—

Splunk Infrastructure Monitoring provides a robust integration with Azure, has an Azure mode for the Infrastructure Navigator, and includes many built-in-dashboards to help you get started monitoring Microsoft Azure services.

You can also monitor Azure and the subscriptions and services running on them by using the Smart Agent. The collectd agent offers a much higher degree of customization than is possible with Azure, and may be preferable for instances where you want to see metrics at a sub-one minute resolution, or where fine-grained control over the filtering of what metrics are sent matters.

Regardless of the mechanism by which you collect and send your metrics, you can also take advantage of the way Infrastructure Monitoring imports Azure metadata, which applies not only to the relevant Azure Services, but can also be used with metrics collected using the collectd agent. The metadata enables you to slice and dice by custom tags, region, host names, and other dimensions.

Monitor Azure metrics πŸ”—

After you have completed the steps in Connect to Microsoft Azure, metrics from Azure Monitor will be synced into Infrastructure Monitoring. Specifically the metrics under Azure metrics will be synced.

Uniquely identifying Azure resources πŸ”—

All of the metrics that the Azure integration sends contain a dimension called azure_resource_id. The value of this dimension is derived from Azure’s resource_id for the resource. azure_resource_id takes the following form:

<subscription_id>/<resource_group_name>/<resource_provider_namespace>/<resource_name>

If the above derived string is longer than 256 bytes, it is truncated because the maximum permissible length of dimension values is 256 bytes.

If you install collectd on an Azure Compute Virtual Machine instance using the standard install script, this dimension will automatically be added.

Supported Azure services πŸ”—

While not all Azure services are supported for sync, when All Services is selected, Splunk Infrastructure Monitoring syncs with the following services:

  • API Management
  • App Service
  • Application Gateway
  • Automation
  • Azure Analysis Services
  • Azure Cosmos DB
  • Azure DDoS Protection
  • Azure DNS
  • Azure Data Explorer
  • Azure Database for MySQL
  • Azure Database for PostgreSQL
  • Azure Firewall
  • Azure Front Door
  • Azure Kubernetes Service
  • Azure Location Based Services
  • Azure Machine Learning
  • Azure Maps
  • Batch
  • Cognitive Services
  • Container Instances
  • Container Registry
  • Content Delivery Network (CDN)
  • Customer Insights
  • Data Factory
  • Data Lake Analytics
  • Data Lake Store
  • Event Grid (Event Subscriptions)
  • Event Grid (Extension Topics)
  • Event Grid (System Topics)
  • Event Grid (Topics)
  • Event Grid (domains)
  • Event Hubs
  • ExpressRoute
  • HDInsight
  • Key Vault
  • Load Balancer
  • Logic apps
  • Network Interfaces
  • Notification Hubs
  • Power BI
  • Redis Cache
  • Relays
  • SQL Database
  • SQL Elastic Pools
  • SQL Servers
  • Search Services
  • Service Bus
  • Storage
  • Stream Analytics
  • Traffic Manager
  • VPN Gateway
  • Virtual Machine Scale Sets
  • Virtual Machines
  • Virtual Machines (Classic)

Dimensions πŸ”—

The metric time series (MTS) associated with Azure metrics have the following generic dimensions. These dimensions are common to all services.

Dimension name Description
azure_resource_id unique identifier for the Azure object
resource_group_id ID of the resource group the Azure object belongs to
subscription_id ID of the subscription the resource belongs to
resource_type type of the Azure object
aggregation_type the Azure aggregation type of the metric
primary_aggregation_type indicates whether or not the aggregation type is the primary type
unit unit of the metric value

Some Azure services include dimensions that Splunk Infrastructure Monitoring adds to MTS. For example, the metrics from Azure Storage provider include the dimensions apiname and geotype. Meanwhile, resource_group_id is derived from the Azure resource group id and takes the following form: <subscription_id>/<resource_group_name>.

Resource Metadata πŸ”—

Our Azure integration also queries the Azure API for metadata about the resources it is monitoring, so you can filter and group metrics by this metadata in charts and in the Infrastructure Navigator.

  • Metadata that is common to all services within a subscription (subscription-level metadata) are put on properties of subscription_id dimension.
  • Metadata that is common to all services within a resource group (resource-group-level metadata) are put on properties of resource_group_id dimension.
  • Metadata that are service-specific (service-level metadata) are put on properties of the azure_resource_id dimension.
  • Tags on all resources (Resource Tags) are put on properties of the azure_resource_id dimension.

Subscription-level metadata πŸ”—

Here is the metadata that is currently synced at a subscription level:

Azure name Custom property Description
displayName azure_subscription_display_name the display name of the subscription (e.g. Pay-As-You-Go)
state azure_subscription_state state of the subscription (e.g. Enabled)

Resource-group-level metadata πŸ”—

The following table lists the metadata that is currently synced at a resource group level:

Azure name Custom property Description
name azure_resource_group_name name of the resource group
provisioningState azure_resource_group_provisioning_state provisioning state of the resource group (e.g. Succeeded)
region azure_resource_group_region region to which the resource group belongs (e.g. eastus)
Tags * azure_resource_group_tag<name-of-tag> (if resource group has user-defined tags) all resource group wide tags

* This property is a list of key value pairs in Azure. For example, if Azure has [key1:label01, key2:label02] as the labels property, we will have two properties: azure_resource_group_tag_key1 and azure_resource_group_tag_key2.)

Service-level metadata πŸ”—

The following table lists the metadata that is currently synced at a service level for the services listed below.

Virtual Machines πŸ”—

For Virtual Machines, Splunk Infrastructure Monitoring gets a subset of metadata about the instance, as well as custom metadata specified by the user on an instance level.

Azure name Custom property Description
computerName azure_computer_name name of the virtual machine instance
imageReference.offer azure_image_reference_offer offer of the image reference (e.g. UbuntuServer)
imageReference.publisher azure_image_reference_publisher publisher of the image reference (e.g. Canonical)
imageReference.sku azure_image_reference_sku SKU of the image reference (e.g. 16.04-LTS)
imageReference.version azure_image_reference_version version of the image reference (e.g. latest)
osDiskCachingType azure_os_disk_caching_type OS Disk caching type of the instance (e.g. ReadWrite)
osType azure_os_type type of OS on the virtual machine (e.g. β€œLINUX” or β€œWINDOWS”)
osDiskSize azure_os_disk_size disk size in GB
powerState azure_power_state power state of the virtual machine (e.g. PowerState/running)
provisioningState azure_provisioning_state provisioning state of the virtual machine (e.g. Succeeded)
size azure_size information about the size of the virtual machine (e.g. Standard_D2s_v3)
vmId azure_vm_id ID given to the virtual machine instance by Azure

Batch Accounts πŸ”—

For Batch Accounts, we currently sync the following properties.

Azure name Custom property Description
activeJobAndJobScheduleQuota azure_active_job_and_job_schedule_quota active job and job schedule quota for this batch account
coreQuota azure_core_quota core quota for the batch account
poolQuota azure_pool_quota pool quota for the batch account
provisioningState azure_provisioning_state provisioningState of the batch account (e.g. Succeeded)

Storage Account πŸ”—

For Storage Accounts, we currently sync the following properties.

Azure name Custom property Description
creationTime azure_creation_time time at which the account was created (e.g. Thu Jan 19 18:16:25 UTC 2018)
kind azure_kind kind of storage account (e.g. Storage or BLOB)
sku azure_sku SKU of the storage acount (e.g. Standard_LRS)

Redis Cache πŸ”—

For Redis caches, we currently sync the following properties.

Azure name Custom property Description
hostName azure_host_name host name of the Redis cache
isPremium azure_is_premium indicates whether or not the service is premium
port azure_port port value for Redis cache (e.g. 6379)
sslPort azure_ssl_port sslPort value for Redis cache (e.g. 6380)
nonSslPort azure_non_ssl_port is true if nonSslPort is enabled
provisioningState azure_provisioning_state provisioning state of the Redis cache (e.g. Succeeded)
redisVersion azure_redis_version version of Redis
shardCount azure_shard_count number of shards
sku azure_sku SKU of the Redis cache (e.g. Standard_C1)

Virtual Machine Scale Sets πŸ”—

For Virtual Machine Scale Sets, we currently sync the following properties.

Azure name Custom property Description
computerNamePrefix azure_computer_name_prefix computer name prefix of the instances in the scale set
imageReference.offer azure_image_reference_offer offer of the image reference (e.g. UbuntuServer)
imageReference.publisher azure_image_reference_publisher publisher of the image reference (e.g. Canonical)
imageReference.sku azure_image_reference_sku SKU of the image reference (e.g. 16.04-LTS)
imageReference.version azure_image_reference_version version of the image reference (e.g. latest)
capacity azure_capacity number of instances in the scale set
osDiskCachingType azure_os_disk_caching_type OS Disk caching type of the instance (e.g. ReadWrite)
primaryNetworkId azure_primary_network_id ID of the primary network of the scale set
overProvisionEnabled azure_over_provision_enabled indicates whether or not over provisioning is enabled
upgradeModel azure_upgrade_model upgrade model of the scale set (e.g. Manual)

Virtual Machines in Scale Sets πŸ”—

For Virtual Machines in Scale Sets, we currently sync the following properties.

Azure name Custom property Description
imageReference.offer azure_image_reference_offer offer of the image reference (e.g. UbuntuServer)
imageReference.publisher azure_image_reference_publisher publisher of the image reference (e.g. Canonical)
imageReference.sku azure_image_reference_sku SKU of the image reference (e.g. 16.04-LTS)
imageReference.version azure_image_reference_version version of the image reference (e.g. latest)
instanceId azure_instance_id instance id of the VM in the Scaleset
osDiskCachingType azure_os_disk_caching_type OS Disk caching type of the instance (e.g. ReadWrite)
osDiskName azure_os_disk_name OS Disk name of the instance
osDiskSize azure_os_disk_size OS Disk size of the instance
osType azure_os_type OS Type (e.g. Linux)
powerState azure_power_state Power state of the instance (e.g. PowerState/running)
size azure_size Size of the instance (e.g. Standard_A1)
sku azure_sku sku of the instance (e.g. com.microsoft.azure.management.compute.Sku@151e5d8d)

Resource Tags πŸ”—

Properties of resources from services we support that are put on to the azure_resource_id dimension.

Azure name Custom property Description
name azure_resource_name name of the resource
region azure_region region to which the resource belongs (e.g. eastus)
Tags * azure_tag<name-of-tag> (if resource has user-defined tags) all resource tags

* This property is a list of key value pairs in Azure. For example, if Azure has [key1:label01, key2:label02] as the labels property, we will have two properties: azure_tag_key1 and azure_tag_key2.)