All Apps and Add-ons

Does this app support fetching data via proxy?

Observer

I can not find any information on Splunkbase or in the .conf-files regarding support for using proxy for fetching data.

I notice there is a function "removehttpproxyenvvars" in the python code, so I assume if the environment variable http_proxy is set, it is specifically removed when fetching data?

def remove_http_proxy_env_vars():
    for k in ("http_proxy", "https_proxy"):
        if k in os.environ:
            del os.environ[k]
        elif k.upper() in os.environ:
            del os.environ[k.upper()]

Is there a way around this? Is support for proxy in the works for the next version? We have strict rules, forcing us to use proxy when connecting to the Internet.

Cheers
Rolf

0 Karma

New Member

Is there an ETA of this proxy functionality being added to this TA?

0 Karma

Splunk Employee
Splunk Employee

Not yet. But, in the meantime, you can edit the inputmoduleMSAADaudit.py and inputmoduleMSAADsignins.py files. These files do the work for the different inputs. The Python requests library is utilized to make calls to the Microsoft APIs, and this library does support proxy severs. Look for the following lines of code in the files:

header = {'Authorization':'Bearer ' + access_token}
r = requests.get(url,headers=header)

Change it to:

header = {'Authorization':'Bearer ' + access_token}
proxies = {
    'http': 'http://proxy_server_address:proxy_server_port',
    'https': 'http://proxy_server_address:proxy_server_port',
}
r = requests.get(url,proxies=proxies,headers=header)
0 Karma

Observer

Thanks Jason, seems to work fine. We're running SSL-inspection on the proxies so I received the following, even tho the CA certificates are present in the OS cert store (RedHat 7.4):
2018-04-06 12:20:58,356 ERROR pid=8322 tid=MainThread file=basemodinput.py:logerror:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/tamsaad/modinputwrapper/basemodinput.py", line 127, in streamevents
self.collect
events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py", line 68, in collectevents
input
module.collectevents(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input
moduleMSAADaudit.py", line 75, in collectevents
r = requests.get(url,proxies=proxies,headers=header)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/tamsaad/requests/api.py", line 70, in get
return request('get', url, params=params, *kwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/tamsaad/requests/api.py", line 56, in request
return session.request(method=method, url=url, *
kwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/tamsaad/requests/sessions.py", line 488, in request
resp = self.send(prep, *sendkwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta
ms_aad/requests/sessions.py", line 609, in send
r = adapter.send(request, *
kwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/tamsaad/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATEVERIFYFAILED] certificate verify failed (_ssl.c:676)

I did a bit of digging and changed the following in tamsaad/modinputwrapper/basemodinput.py to point to the correct CA store:
return self.resthelper.sendhttprequest(url=url, method=method, parameters=parameters, payload=payload,
headers=headers, cookies=cookies, verify='/etc/pki/tls/certs/ca-bundle.crt', cert=cert,
timeout=timeout, proxy
uri=self.getproxyuri() if useproxy else None)

0 Karma

Path Finder

hey guys,

I deployed the TA on our Splunk deployment and it is behind a firewall. So I edited both inputmoduleMSAADaudit.py and inputmoduleMSAADsignins.py as such:

proxies = {
'http': 'http://my-proxy-server:3128',
'https':'http://my-proxy-server:3128',
}
r = requests.get(url,proxies=proxies,headers=header)
### r = requests.get(url, headers=header)

But I am seeing this error:

12-10-2018 16:37:11.737 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" ERRORcannot concatenate 'str' and 'exceptions.KeyError' objects

12-10-2018 16:37:11.714 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" TypeError: cannot concatenate 'str' and 'exceptions.KeyError' objects

12-10-2018 16:37:11.714 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" header = {'Accept':'application/json', 'Authorization':'Bearer ' + access_token}

12-10-2018 16:37:11.714 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" File "/splunk/app/splunk/etc/apps/TA-MS-AAD/bin/inputmoduleMSAADaudit.py", line 90, in getauditevents

12-10-2018 16:37:11.714 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" auditevents = getauditevents(helper, accesstoken, url, max_records)

12-10-2018 16:37:11.714 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" File "/splunk/app/splunk/etc/apps/TA-MS-AAD/bin/inputmoduleMSAADaudit.py", line 129, in collect_events

12-10-2018 16:37:11.714 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" inputmodule.collectevents(self, ew)

12-10-2018 16:37:11.714 -0500 ERROR ExecProcessor - message from "python /splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" File "/splunk/app/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py", line 72, in collect_events

I've plugged the Azure clientID and secretKey in the TA's config screen. What am I missing?

Thanks.

0 Karma