No Data is Showing in Splunk for Azure Monitor Add On #172
Description
Hello Folks,
I followed exactly the following three posts and I set up successfully AzureMonitorAddonForSplunk.
I have installed the dependencies and I allowed the two ports: 5671/5672.
https://www.splunk.com/en_us/blog/cloud/splunking-microsoft-azure-monitor-data-part-1-azure-setup.html
https://www.splunk.com/en_us/blog/cloud/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.html
https://answers.splunk.com/answers/659163/unable-to-get-azure-activity-log-azure-diagnostic.html
Please note that I don't see any event logged in Splunk so far, however, I can see that my Event Hub Namespace is receiving data.
Here are the errors that I can see on Splunk side:
01-13-2020 14:52:31.764 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" ValueError: Invalid connection string
01-13-2020 14:52:31.796 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/azure_event_hub.py" ERRORInvalid connection string
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" Traceback (most recent call last):
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" File "/data/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" self.collect_events(ew)
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" File "/data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 84, in collect_events
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" input_module.collect_events(self, ew)
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" File "/data/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 74, in collect_events
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" audit_events = azutils.get_items(helper, access_token, url, items=[])
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" File "/data/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 33, in get_items
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" raise e
01-13-2020 14:52:32.063 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" HTTPError: 401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-01-06T14:52:31.778854Z+and+activityDateTime+le+2020-01-13T14:45:31.978925Z
01-13-2020 14:52:32.092 +0000 ERROR ExecProcessor - message from "python /data/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-01-06T14:52:31.778854Z+and+activityDateTime+le+2020-01-13T14:45:31.978925Z
01-13-2020 14:52:37.562 +0000 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Mon Jan 13 14:52:36 2020). Context: source=/data/applications/adobe/aem/author/crx-quickstart/logs/error.log|host=vm-azs-prd-rlxcomv6-301|rlxcom_prod_author_aem_error|161722
01-13-2020 14:52:40.814 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" /data/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/frames.js:64
01-13-2020 14:52:40.814 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" stream.write(buffer, callback);
01-13-2020 14:52:40.814 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" ^
01-13-2020 14:52:40.814 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" TypeError: Cannot read property 'write' of null
01-13-2020 14:52:40.814 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" at Object.frames.writeFrame (/data/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/frames.js:64:9)
01-13-2020 14:52:40.815 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" at Connection.sendFrame (/data/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/connection.js:329:10)
01-13-2020 14:52:40.815 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" at ReceiverLink.Link.attach (/data/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/link.js:152:27)
01-13-2020 14:52:40.815 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" at Timeout._onTimeout (/data/splunk/etc/apps/TA-Azure_Monitor/bin/app/node_modules/amqp10/lib/link.js:270:12)
01-13-2020 14:52:40.815 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" at ontimeout (timers.js:386:11)
01-13-2020 14:52:40.815 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" at tryOnTimeout (timers.js:250:5)
01-13-2020 14:52:40.815 +0000 ERROR ExecProcessor - message from "/data/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" at Timer.listOnTimeout (timers.js:214:5)
Your help is highly appreciated.
Many Thanks!
-Charbel