如何:使用 Azure Monitor 将 Azure Active Directory 日志与 Splunk 集成How to: Integrate Azure Active Directory logs with Splunk using Azure Monitor

本文介绍如何使用 Azure Monitor 将 Azure Active Directory (Azure AD) 日志与 Splunk 集成。In this article, you learn how to integrate Azure Active Directory (Azure AD) logs with Splunk by using Azure Monitor. 首先将日志路由到 Azure 事件中心,然后将事件中心与 Splunk 集成。You first route the logs to an Azure event hub, and then you integrate the event hub with Splunk.

先决条件Prerequisites

若要使用此功能,需满足以下条件:To use this feature, you need:

集成 Azure Active Directory 日志Integrate Azure Active Directory logs

  1. 打开 Splunk 实例,并选择“数据摘要”。Open your Splunk instance, and select Data Summary.

    “数据摘要”按钮

  2. 选择“Sourcetypes”选项卡,然后选择“amal: aadal:audit” Select the Sourcetypes tab, and then select amal: aadal:audit

    数据摘要 Sourcetypes 选项卡

    Azure AD 活动日志将如下图中所示:The Azure AD activity logs are shown in the following figure:

    活动日志

备注

如果无法在 Splunk 实例中安装加载项(例如,如果使用代理或在 Splunk Cloud 上运行),则可以将这些事件转发到 Splunk HTTP 事件收集器。If you cannot install an add-on in your Splunk instance (for example, if you're using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector. 为此,请使用此 Azure 函数,该函数通过事件中心中的新消息触发。To do so, use this Azure function, which is triggered by new messages in the event hub.

后续步骤Next steps