All Apps and Add-ons

Microsoft Azure Add on for Splunk not pulling event_hub data

brianpratt
Engager

I have one instance setup successfully and its pulling down data. But I haven't instance that is not working. i get the following events in ta_ms_aad_azure_event_hub.log

2020-05-09 04:44:18,079 INFO pid=7997 tid=MainThread file=connectionpool.py:new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:18,912 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:19,548 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:20,655 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:21,757 INFO pid=7997 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2020-05-09 04:44:21,758 INFO pid=7997 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2020-05-09 04:44:21,758 INFO pid=7997 tid=MainThread file=client_abstract.py:
init_:161 | u'eventhub.pysdk-008cb880': Created the Event Hub client
2020-05-09 04:44:21,762 INFO pid=7997 tid=MainThread file=connection.py:_state_changed:177 | Connection '6d677b52-1575-4388-9bbf-dc0f791dcf08' state changed from to
2020-05-09 04:44:21,921 INFO pid=7997 tid=MainThread file=connection.py:_state_changed:177 | Connection '6d677b52-1575-4388-9bbf-dc0f791dcf08' state changed from to
2020-05-09 04:44:21,943 INFO pid=7997 tid=MainThread file=connection.py:work:259 | 'Closing tlsio from a state other than TLSIO_STATE_EXT_OPEN or TLSIO_STATE_EXT_ERROR'

I see from other posts this is often a wrong primary or secondary key but I'm using the copy to clipboard icon under RootManageSharedAccessKey and pasting into the connection string field. I've tried both primary and secondary many times. For the eventhub, I've gone to the namespace, clicked eventhubs under entities and copied my only configured eventhub. I believe I've used the same process as the input that's working.

Comparing tcpdump between the 2 connections, I see traffic both ways on port 5671. But at the point the one stops, the successful connection has some kind of TLS exchange... This is part of that packet:

Washington1.0...U....Redmond1.0...U.
..Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT TLS CA 40... Ehttp://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt0"..+.....0...http://ocsp.msocsp.com

So I'm using Microsoft Azure Add on for Splunk version 2.02 (I've tried 2.10 as well)
I'm using Splunk Enterprise Version 7.1.7 (also tried Splunk 7.3.5)

Any suggestions on what I can check or do to fix?? thank you...

Labels (2)
1 Solution

jconger
Splunk Employee
Splunk Employee

It sounds like it could be the connection string or blocked outbound ports. The Event Hub input uses AMQP which will require ports 5671 and 5672 outbound.

For the connection string, make sure you are copying the connection string from the portal and not just the key:

alt text

View solution in original post

splunk219783
Path Finder

FWIW i had similar issues that went away after upgrading to the new version that supports 8.0.

I'm assuming this had something to Python migration.

0 Karma

jconger
Splunk Employee
Splunk Employee

It sounds like it could be the connection string or blocked outbound ports. The Event Hub input uses AMQP which will require ports 5671 and 5672 outbound.

For the connection string, make sure you are copying the connection string from the portal and not just the key:

alt text

brianpratt
Engager

Security confirmed drops on these ports. opening up ports 5671/5672 worked... Thanks for the input!!

0 Karma

subbarayudu
New Member

Thanks Brianpratt for the inputs.I created the key but still it errors,

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...