All Apps and Add-ons

Microsoft Azure Add on, Event Hub input - support for RHEL 7

nickmdps
Engager

We need to pull events into Splunk from an Azure Event Hub, and the "Microsoft Azure Add on" looks to be the best option.

Our organisational policy restricts us to RHEL (i.e. Ubuntu or other distros are not an option) so I intend to install the add-on on a Heavy Forwarder running on RHEL 7.8.

As we are still running Splunk v7.2.5.1 I will be installing v2.1.1 of the add-on, however I note that the README for that version indicates that only Ubuntu or Darwin are supported for the Event Hub input for this version of the add-on i.e:

Platforms: Unbuntu or Darwin for Event Hubs. All other inputs are platform independent

However, in other related issues it looks like the add-on has run successfully for the event hub input on RHEL as late as 7.7 as noted by @jconger  in Microsoft Azure Add-on for Splunk (TA-MS-AAD) Version 2.0.0 - No Event Hub Data Ingesting.

So two questions:

  1. Will this work i.e. will I be able to pull events from an Azure Event hub using this blend of versions and distros?
  2. What issues/errors should I expect (if any)?

Thanks.

 

 

Labels (3)
0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.

View solution in original post

jconger
Splunk Employee
Splunk Employee

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...