Hi everyone:
Splunk Add-on for Microsoft Cloud Services or Splunk Add-on for Azure Support collect Aure China?
1. Splunk Add-on for Azure
i create a new account. and create new input.
but see the log report error
cat ta_ms_aad_azure_virtual_network.log
2023-06-14 10:32:07,118 INFO pid=4938 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2023-06-14 10:32:07,118 INFO pid=4938 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2023-06-14 10:32:08,558 ERROR pid=4938 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/azure_virtual_network.py", line 212, in collect_events
raise RuntimeError("Unable to obtain access token. Please check the Client ID, Client Secret, and Tenant ID")
RuntimeError: Unable to obtain access token. Please check the Client ID, Client Secret, and Tenant ID
2. Splunk Add-on for Microsoft Cloud Services
when i was created azure app account, report Account authentication failed. Please check your credentials and try again
Who know, the two add-on is support Azure China or not ?
thanks
Hi DavidLi
I didn't realise that after a year you would still reply, thank you so much!
I have asked ChatGPT. The answer is as below. So I don't think there is easy way like modify conf file can reslove this issue.
As of the latest available information, there are no widely recognized third-party solutions or community-contributed add-ons specifically tailored for Splunk to collect logs from Azure China. Most existing add-ons, including the official *Splunk Add-on for Microsoft Cloud Services*, are designed for the global Azure environment and may require customization to work with Azure China.
### Options and Workarounds:
1. **Customization of Existing Add-ons**:
- You can manually modify the Splunk Add-on for Microsoft Cloud Services to point to the Azure China endpoints by editing the configuration files directly. This is the most common workaround but requires technical know-how to ensure compatibility and proper data collection.
2. **Custom Scripts**:
- If modifying existing add-ons is too complex or not feasible, you can create custom scripts using Azure SDKs (like Python SDK) to pull data from Azure China and forward it to Splunk using the HTTP Event Collector (HEC).
3. **Using REST API**:
- Another approach is to use the Splunk Add-on for REST APIs to interact directly with Azure China's API endpoints. This method gives you the flexibility to collect any data available via the Azure China REST API.
4. **Community Forums and Contributions**:
- While specific tailored add-ons for Azure China are not available, you may find discussions or shared configurations on the [Splunk Community Forums](https://community.splunk.com/) or other community-driven platforms like GitHub, where users may have shared their custom solutions.
### Keeping Up-to-Date:
It's recommended to regularly check Splunkbase and participate in community discussions to stay updated on any new add-ons or tools that might become available for Azure China.
For more details, you can visit [Splunkbase](https://splunkbase.splunk.com/) and the [Splunk Community](https://community.splunk.com/)【17†source】【18†source】.
I have modified the api link of azure, and replaced all of them with the api url of azure China, but I can only collect a part of the data, not all of the data.
Hi DavidLi
I didn't realise that after a year you would still reply, thank you so much!
I have tried and failed. When asking for support, they replied no official support for Azure China. So this issue has not been resolved yet.
To Pull China event Hub data, Splunk Add-on for Microsoft Cloud Services requires 2 changes:-
1st * Edit $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs_rh_azureaccount.py
* Around line 88, we need to add a check for the Azure China region
if account_class_type == str(AccountClassType.GOVCLOUD_ACCOUNT):
self.cloud_environment = azure_cloud.AZURE_US_GOV_CLOUD
elif account_class_type == str(AccountClassType.CHINA_ACCOUNT):
self.cloud_environment = azure_cloud.CHINA_ACCOUNT
else:
self.cloud_environment = azure_cloud.AZURE_PUBLIC_CLOUD
2nd to map the event hubs $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local
Create “mscs_azure_accounts.conf”
[ProvideName]
account_class_type = 3
client_id = ******
client_secret = ******
tenant_id = ******
modify this one is error: self.cloud_environment = azure_cloud.CHINA_ACCOUNT
the py file: from msrestazure import azure_cloud, s
I am also getting an Authentication error -