All Apps and Add-ons

Error with Microsoft Azure Active Directory Reporting Add-on for Splunk

stwong
Communicator

Hi all,

We installed latest Microsoft Azure Active Directory Reporting Add-on for Splunk on our installation running 7.0.

We configured inputs for Signing and Audit data. However, there is no data received. Found same error in logs of each input:

2018-05-18 16:29:34,344 ERROR pid=14469 tid=MainThread file=base_modinput.py:log_error:307 | Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 113, in stream_events
    self.parse_input_args(input_definition)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 152, in parse_input_args
    self._parse_input_args_from_global_config(inputs)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 170, in _parse_input_args_from_global_config
    global_config = GlobalConfig(uri, session_key, global_schema)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/splunktaucclib/global_config/__init__.py", line 51, in __init__
    port=splunkd_info.port,
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/solnlib/net_utils.py", line 129, in wrapper
    'Illegal argument: {}={}'.format(arg, value))
ValueError: Illegal argument: host=::1  

I wonder if it's caused by the Sign-on URL to https://localhost as mentioned in the link about "prerequisites to access the Azure AD reporting API.", while our system runs IPv4 and IPv6. Seems the v6 localhost address ::1 is invalid.

Would anyone please help?

Thanks a lot.
/ST Wong

0 Karma

stwong
Communicator

Thanks. I have similar error on other add-on, which was fixed by adding following to /etc/hosts on corresponding Splunk instance host:

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

Maybe this case can also be fixed similarly.
Anyway, we switched to test the new add-on https://splunkbase.splunk.com/app/4055/ instead per support's advice.

Thanks for all responded.

0 Karma

markvandeventer
Engager

In case this is still an issue for people.

adding the following to server.conf resolved it for me.

[general]
connectUsingIpVersion = 4-first

jconger
Splunk Employee
Splunk Employee

The Sign-on URL is not used by the add-on. The error seems to indicate something wrong in your inputs.conf, so it would be helpful to post that here in a reply.

FYI - when creating an Azure AD application registration, the Sing-on URL parameter is required, but any valid URL will work. The reason the parameter is there is to support a workflow. Some Azure AD applications have an interactive user prompt. This triggers some workflow on the Azure side. When the work is done on the Azure side, the user is redirected to the URL specified by that parameter. This add-on does not have any of this workflow, so any valid URL will work as it won't be used.

stwong
Communicator

Update:

We tried on another Splunk 7.0 installation without IPv6 support. The same error didn't occur.

0 Karma

stwong
Communicator

Update:

We tried on another Splunk 7.0 installation without IPv6 support. The same error didn't occur.

0 Karma

florismouwen
New Member

Did you ever find a solution for this problem with IPv6 support enabled?
I have the same problem:

2018-10-23 14:30:26,401 ERROR pid=19302 tid=MainThread file=base_modinput.py:log_error:308 | Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 113, in stream_events
    self.parse_input_args(input_definition)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 153, in parse_input_args
    self._parse_input_args_from_global_config(inputs)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 171, in _parse_input_args_from_global_config
    global_config = GlobalConfig(uri, session_key, global_schema)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/splunktaucclib/global_config/__init__.py", line 51, in __init__
    port=splunkd_info.port,
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/solnlib/net_utils.py", line 129, in wrapper
    'Illegal argument: {}={}'.format(arg, value))
ValueError: Illegal argument: host=::1
0 Karma

stwong
Communicator

Hi, not yet. We're waiting for updated version of the add-on... Thanks.

0 Karma

stwong
Communicator

Hi,

Thanks for the reply. The input file looks like following, which was created by the Add-On's GUI:

----------------- cut here ----------------
[MS_AAD_signins://Azure_AD_Signins]
interval = 5
start_date = 2018-05-01 00:00:00
tenant_domain = mytenant.onmicrosoft.com

[MS_AAD_audit://Azure_AD_Audit]
interval = 5
start_date = 2018-05-01 00:00:00
tenant_domain = mytenant.onmicrosoft.com
----------------- cut here ----------------

Regarding the Sign-On URL, we just follow instruction at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-prerequisites..., to put https://localhost there:

c. In the Sign-on URL textbox, type https://localhost.

I wonder if "localhost" resolves to ::1 as our heavy forwarder runs dual IPv4 and IPv6 stack.

Thanks a lot.
Regards,

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...