All Apps and Add-ons

Microsoft Azure Add on, Event Hub input - support for RHEL 7

nickmdps
Engager

We need to pull events into Splunk from an Azure Event Hub, and the "Microsoft Azure Add on" looks to be the best option.

Our organisational policy restricts us to RHEL (i.e. Ubuntu or other distros are not an option) so I intend to install the add-on on a Heavy Forwarder running on RHEL 7.8.

As we are still running Splunk v7.2.5.1 I will be installing v2.1.1 of the add-on, however I note that the README for that version indicates that only Ubuntu or Darwin are supported for the Event Hub input for this version of the add-on i.e:

Platforms: Unbuntu or Darwin for Event Hubs. All other inputs are platform independent

However, in other related issues it looks like the add-on has run successfully for the event hub input on RHEL as late as 7.7 as noted by @jconger  in Microsoft Azure Add-on for Splunk (TA-MS-AAD) Version 2.0.0 - No Event Hub Data Ingesting.

So two questions:

  1. Will this work i.e. will I be able to pull events from an Azure Event hub using this blend of versions and distros?
  2. What issues/errors should I expect (if any)?

Thanks.

 

 

Labels (3)
0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.

View solution in original post

jconger
Splunk Employee
Splunk Employee

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...