topic Re: Splunk Connect for Zoom in All Apps and Add-ons

Splunk Connect for Zoom

Vijeta — Tue, 05 May 2020 23:09:21 GMT

Is anyone able to pull logs using Splunk Connect for Zoom. I have installed the app and configured as per documentation , also have created webhook only app in Zoom and subscribed the events for Splunk endpoint, I still cannot see anything in my index. Please let me know if it is working for you.

Re: Splunk Connect for Zoom

shivanshu1593 — Wed, 06 May 2020 08:01:06 GMT

Are you seeing any error messages in yiur splunkd logs for it? They can help you to get to the solution.

Re: Splunk Connect for Zoom

Vijeta — Wed, 06 May 2020 15:17:43 GMT

The only WARN message I see is "Socket error from while accessing /services/storage/passwords/..". There is no passwords.conf in this app folder although it gets created under search app, which I don't understand why.

Re: Splunk Connect for Zoom

wgawhh5hbnht — Mon, 11 May 2020 13:12:38 GMT

is splunk listening on the port? use

netstat -an | grep [whatever port you
specified]

In zoom you can check the call logs:
https://marketplace.zoom.us/user/logs

Re: Splunk Connect for Zoom

Vijeta — Mon, 25 May 2020 01:12:19 GMT

The Splunk connect for Zoom, had a bug which creates a password.conf file in your search app causing errors for reading password in logs. We opened a ticket with Splunk and they are working on fix, updated version shall soon be released. Hence closing this thread.

Re: Splunk Connect for Zoom

lim2 — Thu, 02 Jul 2020 14:26:48 GMT

Hi @Vijeta , Could you or someone advise what was the fix? Still seeing Splunk Connect for Zoom Version 1.0.1 April 23, 2020.

Anyone has to allow Zoom events traffic from https://marketplace.zoom.us/user/logs to be sent to one's Internal Splunk HF running Splunk connect for Zoom listening on 4443?

Thanks

Re: Splunk Connect for Zoom

Vijeta — Sat, 04 Jul 2020 19:22:26 GMT

Hi @lim2

The issue which I was seeing is when configuring Data inputs for Zoom on Splunk Heavy forwarder UI, it was creating passwords.conf file in the et/apps/search folder instead of Zoom app. After raising the ticket with Splunk, they provided with an updated python script to be used in the Zoom app instead of previous one. Post the update the issue related to file creation in search app was not there, but I am still getting 500 error from the Zoom web hook. This can be seen in marketplace.zoom.us under Webhook logs, it shows all the responses but with status code 500, so nothing gets ingested to Splunk. I have opened ticket with Zoom but haven't received any response. It does not seem to be a Splunk issue any more but may be a firewall issue or something not sure.

I would suggest you to open support ticket with Splunk, and they can provide you updated python or look into your issue.

Re: Splunk Connect for Zoom

pastorlibre — Thu, 16 Jul 2020 20:57:25 GMT

Hi @Vijeta and @lim2

I am also seeing error 500 on my ZOOM Splunk Webhook. did you get any further on this one? I am not seeing any data ingested. However I see in the log the password issue but also the following

TcpInputProc - Message rejected. Received unexpected message of size=369296128 bytes from src=3.211.241.114:36520 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

These started happening as soon as I opened up the port, Is there a place I should be putting a token key?

Re: Splunk Connect for Zoom

lim2 — Fri, 17 Jul 2020 14:49:12 GMT

Hi @pastorlibre The zoom admin pointed the "Event Notification Endpoint URL" to Splunk server DNS/Load balancer running "Splunk Connect for Zoom" on tcp 4443 and after granting network access to https://marketplace.zoom.us/docs/api-reference/webhook-reference#ip-addresses,

started to see series="zoom:webhook" events in metrics.log and sourcetype=zoom:webhook was searchable.

But now from splunkd.log, not seeing the http_500 code or the large +300MB. But seeing lots of:

07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.93 - - [17/Jul/2020 14:35:45] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.211.241.118 - - [17/Jul/2020 14:35:45] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.92 - - [17/Jul/2020 14:35:46] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.93 - - [17/Jul/2020 14:35:46] "POST / HTTP/1.1" 200 -
I will open case with Splunk support.