All Apps and Add-ons

Is the Splunk Add-on for Microsoft Cloud Services or Splunk Add-on for Azure Support collect Azure China?

Jianming
Explorer

Hi everyone:

Splunk Add-on for Microsoft Cloud Services or Splunk Add-on for Azure Support collect Aure China? 

1. Splunk Add-on for Azure  

     i create a new account. and create new input.

    but see the log report error

    cat ta_ms_aad_azure_virtual_network.log
2023-06-14 10:32:07,118 INFO pid=4938 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2023-06-14 10:32:07,118 INFO pid=4938 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2023-06-14 10:32:08,558 ERROR pid=4938 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/azure_virtual_network.py", line 212, in collect_events
raise RuntimeError("Unable to obtain access token. Please check the Client ID, Client Secret, and Tenant ID")
RuntimeError: Unable to obtain access token. Please check the Client ID, Client Secret, and Tenant ID

 

2.  Splunk Add-on for Microsoft Cloud Services 

       when i was created azure app account, report  Account authentication failed. Please check your                credentials and try again

Who know, the two add-on is support Azure China or not ?

 

thanks 

 

Labels (1)
0 Karma
1 Solution

Jianming
Explorer

Hi DavidLi

 

I didn't realise that after a year you would still reply, thank you so much!

View solution in original post

0 Karma

DavidLi
New Member

I have asked ChatGPT. The answer is as below. So I don't think there is easy way like modify conf file can reslove this issue.

As of the latest available information, there are no widely recognized third-party solutions or community-contributed add-ons specifically tailored for Splunk to collect logs from Azure China. Most existing add-ons, including the official *Splunk Add-on for Microsoft Cloud Services*, are designed for the global Azure environment and may require customization to work with Azure China.

### Options and Workarounds:

1. **Customization of Existing Add-ons**:
- You can manually modify the Splunk Add-on for Microsoft Cloud Services to point to the Azure China endpoints by editing the configuration files directly. This is the most common workaround but requires technical know-how to ensure compatibility and proper data collection.

2. **Custom Scripts**:
- If modifying existing add-ons is too complex or not feasible, you can create custom scripts using Azure SDKs (like Python SDK) to pull data from Azure China and forward it to Splunk using the HTTP Event Collector (HEC).

3. **Using REST API**:
- Another approach is to use the Splunk Add-on for REST APIs to interact directly with Azure China's API endpoints. This method gives you the flexibility to collect any data available via the Azure China REST API.

4. **Community Forums and Contributions**:
- While specific tailored add-ons for Azure China are not available, you may find discussions or shared configurations on the [Splunk Community Forums](https://community.splunk.com/) or other community-driven platforms like GitHub, where users may have shared their custom solutions.

### Keeping Up-to-Date:
It's recommended to regularly check Splunkbase and participate in community discussions to stay updated on any new add-ons or tools that might become available for Azure China.

For more details, you can visit [Splunkbase](https://splunkbase.splunk.com/) and the [Splunk Community](https://community.splunk.com/)【17†source】【18†source】.

0 Karma

Jianming
Explorer

I have modified the api link of azure, and replaced all of them with the api url of azure China, but I can only collect a part of the data, not all of the data.

0 Karma

Jianming
Explorer

Hi DavidLi

 

I didn't realise that after a year you would still reply, thank you so much!

0 Karma

DavidLi
New Member

I have tried and failed. When asking for support, they replied no official support for Azure China. So this issue has not been resolved yet.

0 Karma

tarungupta0311
Explorer

To Pull China event Hub data, Splunk Add-on for Microsoft Cloud Services requires 2 changes:-
1st * Edit $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs_rh_azureaccount.py
* Around line 88, we need to add a check for the Azure China region

if account_class_type == str(AccountClassType.GOVCLOUD_ACCOUNT):
self.cloud_environment = azure_cloud.AZURE_US_GOV_CLOUD
elif account_class_type == str(AccountClassType.CHINA_ACCOUNT):
self.cloud_environment = azure_cloud.CHINA_ACCOUNT
else:
self.cloud_environment = azure_cloud.AZURE_PUBLIC_CLOUD

2nd to map the event hubs $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local
Create “mscs_azure_accounts.conf”

[ProvideName]
account_class_type = 3
client_id = ******
client_secret = ******
tenant_id = ******

0 Karma

Jianming
Explorer

modify this one is error: self.cloud_environment = azure_cloud.CHINA_ACCOUNT

the py file:  from msrestazure import azure_cloud,   sWeChat Image_20230717094716.png

so this is correct : self.cloud_environment = azure_cloud.AZURE_CHINA_CLOUD
 
but still error:
configuration inputs  such as azure resource
the log report
WeChat Image_20230717095051.png
the api link still use azure_public_cloud. 
0 Karma

tarungupta0311
Explorer

I am also getting an Authentication error - 

 

tarungupta0311_0-1689746402785.png

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...