All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Azure Add on, Event Hub input - support for RHEL 7

nickmdps
Engager
‎07-09-2020 08:11 PM

We need to pull events into Splunk from an Azure Event Hub, and the "Microsoft Azure Add on" looks to be the best option.

Our organisational policy restricts us to RHEL (i.e. Ubuntu or other distros are not an option) so I intend to install the add-on on a Heavy Forwarder running on RHEL 7.8.

As we are still running Splunk v7.2.5.1 I will be installing v2.1.1 of the add-on, however I note that the README for that version indicates that only Ubuntu or Darwin are supported for the Event Hub input for this version of the add-on i.e:

Platforms: Unbuntu or Darwin for Event Hubs. All other inputs are platform independent

However, in other related issues it looks like the add-on has run successfully for the event hub input on RHEL as late as 7.7 as noted by @jconger  in Microsoft Azure Add-on for Splunk (TA-MS-AAD) Version 2.0.0 - No Event Hub Data Ingesting.

So two questions:

  1. Will this work i.e. will I be able to pull events from an Azure Event hub using this blend of versions and distros?
  2. What issues/errors should I expect (if any)?

Thanks.

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎07-10-2020 09:40 AM

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.

View solution in original post

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎07-10-2020 09:40 AM

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...