All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Azure Event hub input error in Microsoft Cloud Services add on

bhsakarchourasi
Path Finder
‎02-16-2021 04:59 AM

Hi All,

we are getting below error while adding app account configuration in Microsoft Cloud Services Add On from web UI.

REST Error [400]: Bad Request -- Account authentication failed. Please check your credentials and try again

So to do this configuration as per documentation we did the same from command line and now it seems to be saved without any error.

But after configuring inputs for event hub it's giving below error message in sourcetype=mscs:azure:eventhub:log

2021-02-16 13:36:51,248 level=ERROR pid=50816 tid=MainThread logger=__main__ pos=utils.py:wrapper:72 | datainput="Test" start_time=1613479010 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/mscs_azure_event_hub.py", line 597, in run credential = self._create_credentials(config, proxy) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/mscs_azure_event_hub.py", line 505, in _create_credentials args = parser.parse(content) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs/splunksdc/config.py", line 125, in parse stanza[field.key] = field.parse(content) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs/splunksdc/config.py", line 156, in parse value = super(IntegerField, self).parse(document) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs/splunksdc/config.py", line 139, in parse raise KeyError("%s not exists" % self._key) KeyError: 'account_class_type not exists'

 

First, thing I doubt about is add on making request to azure cloud for authentication because I tried providing other credentials which are working fine with other add on (O365) are also giving same error.

Second, if app account configuraiton is saved without any error are working or not working (as I can't see error in splunkd logs, it was coming when trying to configure from web UI).

Third, what will be the stanza for 'account_class_type' to put in conf file as it's not mentioned in documentation.

 

Thanks,

Bhaskar

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bhsakarchourasi
Path Finder
‎02-28-2021 09:48 PM

We followed below link and provided  built in ‘Azure Event Hubs Data Receiver’ role.

 
Hope this will help you.
 
Thanks.

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

bhsakarchourasi
Path Finder
‎02-16-2021 10:26 PM

Hi All,

We saw there is update released for Microsoft Cloud Services add on splunk base which describe near to same issue that we are facing with this add on so we tried upgrading the add on but still didn't worked for us.

Plz help to resolve this issue.

Thanks in advance.

Bhaskar 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

bhsakarchourasi
Path Finder
‎02-22-2021 09:09 PM

Hi All,

This issue is partially resolved by providing root certificate into configuration.

path to the certificate is /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/3rdparties/python3/certifi/cacert.pem

I would say addon error handling is not clear enough to show correct error message so that may need to be  updated in coming versions.

Now we are getting below error in event hub inputs configuration. I will be working on it once it resolve I will post the solution, if anyone has faced this issue earlier, comment will be much appreciated.

2021-02-22 13:42:21,663 level=WARNING pid=37627 tid=Thread-1 logger=uamqp.receiver pos=receiver.py:get_state:270 | LinkDetach("ErrorCodes.UnauthorizedAccess: Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://xyz-namespace.servicebus.windows.net/diagnosticlogs/consumergroups/$default/partitions/0'. TrackingId:d02679b0b93f4cbda26ac45bce14cdf2_G46, SystemTracker:gateway5, Timestamp:2021-02-22T12:42:2

 

Thanks in advance

Bhaskar

Tags (1)
0 Karma
Reply
Solved! Jump to solution

andygerberkp
Explorer
‎04-15-2021 09:22 AM

I'm stuck here - do I have to get some certificate from my Azure portal and append it to this file?  I'm getting this same error stream that ends in "KeyError: 'account_class_type not exists'"

0 Karma
Reply
Solved! Jump to solution

bhsakarchourasi
Path Finder
‎04-30-2021 05:39 AM

Hi andygerberkp,

It depends if there is certificate base authentication is configured in your case than yes you need to import the certificate otherwise please connect with your azure team configure service principal permissions properly that should resolve the issue.

 

Thanks,

Bhaskar

 

 

0 Karma
Reply
Solved! Jump to solution

bhsakarchourasi
Path Finder
‎02-26-2021 12:31 AM

Further to this.

Last error has been resolved by providing proper entitlement to service principal.

currently getting below messages in event hub input internal logs.

2021-02-26 08:54:25,605 level=INFO pid=31978 tid=MainThread logger=splunksdc.loop pos=loop.py:is_aborted:38 | datainput="securitycenter" start_time=1614307646 | message="Loop has been aborted."
2021-02-26 08:14:18,418 level=WARNING pid=31978 tid=Thread-1 logger=uamqp.connection pos=connection.py:work:255 | ConnectionClose('ErrorCodes.UnknownError: Connection in an unexpected error state.')
 
Thanks,
Bhaskar
Tags (1)
0 Karma
Reply
Solved! Jump to solution

saad_siddiqi
Path Finder
‎02-28-2021 03:19 PM

Can you please tell me what entitlements you have given to get this working? 

I am encountering the same errors

 LinkDetach("ErrorCodes.UnauthorizedAccess: Unauthorized access. 'Listen' claim(s) are required to perform this operation

0 Karma
Reply
Solved! Jump to solution
Solution

bhsakarchourasi
Path Finder
‎02-28-2021 09:48 PM

We followed below link and provided  built in ‘Azure Event Hubs Data Receiver’ role.

 
Hope this will help you.
 
Thanks.
Tags (1)
Reply
Solved! Jump to solution

saad_siddiqi
Path Finder
‎03-01-2021 12:49 AM

Yay! that did the trick!

Thanks a lot for your quick response.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...