topic Re: Azure Monitor - error message in All Apps and Add-ons

Azure Monitor - error message

Log_wrangler — Tue, 29 Sep 2020 20:55:55 GMT

08-16-2018 16:31:19.869 -0500 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_activity_log.sh" Modular input azure_activity_log://azure-event-hub-dev Error getting event hub creds: SyntaxError: Unexpected end of JSON input

Does anyone know how to fix this?

Re: Azure Monitor - error message

marycordova — Thu, 16 Aug 2018 22:28:16 GMT

I don't like the Azure Monitor from MicroSoft or the Microsoft Cloud Services App from Splunk...

Here is a method I developed for audit logs from Azure and O365 using the Log Analytics repositories.

This might work for you depending on what you are trying to get at: https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

Also, one of my co-workers whipped up a powershell script the other day to get at some data via the API that I couldn't get in Log Analytics and he just reused my http/HEC listener to post to.

I like the reliability and simplicity of this setup much better than some of the other options available.

Re: Azure Monitor - error message

jconger — Thu, 16 Aug 2018 22:48:21 GMT

Can you post your inputs.conf?

Re: Azure Monitor - error message

Log_wrangler — Fri, 17 Aug 2018 13:05:24 GMT

I am not sure what you mean, the TA inputs are default. I set it up through the GUI under data inputs activity_log. Please explain which inputs I should look at. Thank you

Re: Azure Monitor - error message

Log_wrangler — Fri, 17 Aug 2018 13:06:04 GMT

Thank you, we will look into this option. Yes the azure apps have been a pain.

Re: Azure Monitor - error message

Log_wrangler — Fri, 17 Aug 2018 13:22:34 GMT

So do you think your solution will work with an event hub in azure? Thank you

Re: Azure Monitor - error message

marycordova — Fri, 17 Aug 2018 15:32:00 GMT

probably...if theres some way to build a little logic app to query or receive from the event hub, but if the logs are something already available in Log Analytics and/or a "Solution"+Log Analytics you can do away with the event hub entirely

Re: Azure Monitor - error message

marycordova — Fri, 17 Aug 2018 15:34:54 GMT

btw, this TA/App only works on Splunk Enterprise instances deployed inside Azure from the Azure Marketplace and it must be version 7+

if you get it working you can then forward to wherever your main Splunk deployment is...

Re: Azure Monitor - error message

jconger — Fri, 17 Aug 2018 22:57:52 GMT

Can you share what you used for the values in the input (be sure to anonymize the values)? This is what ends up in inputs.conf and will help troubleshoot.

Re: Azure Monitor - error message

jconger — Fri, 17 Aug 2018 23:01:24 GMT

The add-on is not required to run inside of Azure. You can run it on Splunk 6.5+ anywhere an outbound connection can be made to Azure (on-prem, public cloud, private cloud).

Re: Azure Monitor - error message

Log_wrangler — Wed, 05 Sep 2018 14:32:21 GMT

Thank you for the replies.
Others have looked into this as well, and they have found a bug and abandoned the TA.
I wanted to use the azure monitor with event hub to preclude manually entering accounts and inputs for all my azure data.

Trying to automate the manual process with the API now.