Hi all,
We installed latest Microsoft Azure Active Directory Reporting Add-on for Splunk on our installation running 7.0.
We configured inputs for Signing and Audit data. However, there is no data received. Found same error in logs of each input:
2018-05-18 16:29:34,344 ERROR pid=14469 tid=MainThread file=base_modinput.py:log_error:307 | Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 113, in stream_events
self.parse_input_args(input_definition)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 152, in parse_input_args
self._parse_input_args_from_global_config(inputs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 170, in _parse_input_args_from_global_config
global_config = GlobalConfig(uri, session_key, global_schema)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/splunktaucclib/global_config/__init__.py", line 51, in __init__
port=splunkd_info.port,
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/solnlib/net_utils.py", line 129, in wrapper
'Illegal argument: {}={}'.format(arg, value))
ValueError: Illegal argument: host=::1
I wonder if it's caused by the Sign-on URL to https://localhost as mentioned in the link about "prerequisites to access the Azure AD reporting API.", while our system runs IPv4 and IPv6. Seems the v6 localhost address ::1 is invalid.
Would anyone please help?
Thanks a lot.
/ST Wong
Thanks. I have similar error on other add-on, which was fixed by adding following to /etc/hosts on corresponding Splunk instance host:
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Maybe this case can also be fixed similarly.
Anyway, we switched to test the new add-on https://splunkbase.splunk.com/app/4055/ instead per support's advice.
Thanks for all responded.
In case this is still an issue for people.
adding the following to server.conf resolved it for me.
[general]
connectUsingIpVersion = 4-first
The Sign-on URL is not used by the add-on. The error seems to indicate something wrong in your inputs.conf, so it would be helpful to post that here in a reply.
FYI - when creating an Azure AD application registration, the Sing-on URL parameter is required, but any valid URL will work. The reason the parameter is there is to support a workflow. Some Azure AD applications have an interactive user prompt. This triggers some workflow on the Azure side. When the work is done on the Azure side, the user is redirected to the URL specified by that parameter. This add-on does not have any of this workflow, so any valid URL will work as it won't be used.
Update:
We tried on another Splunk 7.0 installation without IPv6 support. The same error didn't occur.
Update:
We tried on another Splunk 7.0 installation without IPv6 support. The same error didn't occur.
Did you ever find a solution for this problem with IPv6 support enabled?
I have the same problem:
2018-10-23 14:30:26,401 ERROR pid=19302 tid=MainThread file=base_modinput.py:log_error:308 | Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 113, in stream_events
self.parse_input_args(input_definition)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 153, in parse_input_args
self._parse_input_args_from_global_config(inputs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 171, in _parse_input_args_from_global_config
global_config = GlobalConfig(uri, session_key, global_schema)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/splunktaucclib/global_config/__init__.py", line 51, in __init__
port=splunkd_info.port,
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/solnlib/net_utils.py", line 129, in wrapper
'Illegal argument: {}={}'.format(arg, value))
ValueError: Illegal argument: host=::1
Hi, not yet. We're waiting for updated version of the add-on... Thanks.
Hi,
Thanks for the reply. The input file looks like following, which was created by the Add-On's GUI:
----------------- cut here ----------------
[MS_AAD_signins://Azure_AD_Signins]
interval = 5
start_date = 2018-05-01 00:00:00
tenant_domain = mytenant.onmicrosoft.com
[MS_AAD_audit://Azure_AD_Audit]
interval = 5
start_date = 2018-05-01 00:00:00
tenant_domain = mytenant.onmicrosoft.com
----------------- cut here ----------------
Regarding the Sign-On URL, we just follow instruction at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-prerequisites..., to put https://localhost there:
c. In the Sign-on URL textbox, type https://localhost.
I wonder if "localhost" resolves to ::1 as our heavy forwarder runs dual IPv4 and IPv6 stack.
Thanks a lot.
Regards,