Splunk Add-on for Microsoft Cloud Services:

DavidBooth — Thu, 14 Jun 2018 16:06:06 GMT

Hello all,
Myself and My colleagues are attempting to set up the Splunk Add-on for Microsoft Cloud Services to pull down NSG Flow logs out of a Network Watcher an into Splunk.
We have been following the "Splunking Microsoft Azure Network Watcher Data" tutorial on the "TIPS & TRICKS" section of the Splunk Blog.

Azure Storage account has been setup to the best of our understanding using an Access Key.

Azure Storage Blob has been setup as per the tutorial (The important part being Container Name : "insights-logs-networksecuritygroupflowevent")

When this is ran we get the following error and are having difficulties trying to establish what the cause may be:

YYYY-MM-dd hh:mm:ss,xxx +0000 log_level=ERROR, pid=xxxxx, tid=Thread-34, file=mscs_storage_dispatcher.py, func_name=_dispatch_storage_list, code_line_no=86 | [stanza_name="<stanza_name>" account_name="<account_name>" container_name="insights-logs-networksecuritygroupflowevent" blob_list=""] Exception@_dispatch_tables() ,error_message=ConnectionError: HTTPSConnectionPool(host='<account_name>.blob.core.windows.net', port=443): Max retries exceeded with url: /insights-logs-networksecuritygroupflowevent?restype=container&comp=list (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 82, in _dispatch_storage_list
    self._do_dispatch()
  File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 93, in _do_dispatch
    self._dispatch_tasks(patterns)
  File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 115, in _dispatch_tasks
    next_marker, patterns)
  File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_blob_dispatcher.py", line 92, in _get_storage_info_list
    marker=marker)
  File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/blob/baseblobservice.py", line 1177, in list_blobs
    resp = self._list_blobs(*args, **kwargs)
  File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/blob/baseblobservice.py", line 1247, in _list_blobs
    response = self._perform_request(request)
  File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/storageclient.py", line 186, in _perform_request
    raise AzureException('{}: {}'.format(ex.__class__.__name__, ex.args[0]))
AzureException: ConnectionError: HTTPSConnectionPool(host='<account_name>.blob.core.windows.net', port=443): Max retries exceeded with url: /insights-logs-networksecuritygroupflowevent?restype=container&comp=list (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fdf0c7eb790>: Failed to establish a new connection: [Errno 110] Connection timed out',))

We are able to Curl from the Heavy Forwarder the app is installed on to the storage URL's.

We are stuck trying to determine if the problems due to configuration within Splunk or in the cloud or somewhere in-between.
If anyone could offer any suggestions on lines of investigation or if they have experienced anything similar before, we would be grateful.

Many Thanks.

Re: Splunk Add-on for Microsoft Cloud Services:

jconger — Tue, 29 Sep 2020 20:03:41 GMT

Did you create this input by going into the Splunk Add-on for Microsoft Cloud Services UI, or did you create the input by going to Settings -> Data Inputs?

The reason I ask is the error messages have the following red flags:

stanza_name="" account_name="" account_name should not be blank.
host='.blob.core.windows.net', port=443 If account_name was not blank (let's say account_name was my-storage-account), a connection would be made to host='my-storage-account.blob.core.windows.net', port=443

To set his up, open the Splunk Add-on for Microsoft Cloud Services app -> Configuration -> Azure Storage Account -> Add Azure Storage Account. Then, create the input by going to the Inputs menu -> Create New Input -> Azure Storage Blob.

Here is a good blob post on the subject -> https://www.splunk.com/blog/2017/08/18/splunking-microsoft-cloud-data-part-2.html

Re: Splunk Add-on for Microsoft Cloud Services:

DavidBooth — Fri, 15 Jun 2018 14:08:19 GMT

Thanks for the reply and My apologies,
I had wrapped the anonymized configuration details in “<>” without realising they would be parsed out when I posted. This also removed part of the error message.
So stanza_name=”” should have read stanza_name=<stanza_name>

I used the GUI to input the details.
Thanks again.

topic Splunk Add-on for Microsoft Cloud Services: in All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services:

Re: Splunk Add-on for Microsoft Cloud Services:

Re: Splunk Add-on for Microsoft Cloud Services: