Hello! I have recently installed the Splunk Add-On for Microsoft Cloud Services. The Azure app and Splunk app both have the correct information/permissions to operate (or so I assume, but everything reads green). However, upon seeing no info coming in, I ran across this error trying to solve my issue:
2020-05-05 16:47:46,940 +0000 log_level=ERROR, pid=21087, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=200 | Microsoft Cloudservices Azure Audit task encounter exception
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_mod_input.py", line 197, in main
config_cls=configer_cls, log_suffix=log_suffix)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_mod_input.py", line 126, in run
loader = dl.create_data_loader(meta_config)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktaucclib/data_collection/ta_data_loader.py", line 164, in create_data_loader
import splunktalib.event_writer as ew
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/splunktalib/event_writer.py", line 2, in
standard_library.install_aliases()
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/future/standard_library/__init__.py", line 485, in install_aliases
import test
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/test.py", line 21, in
splunkAdmin = raw_input("Enter Splunk Admin: ")
EOFError: EOF when reading a line
I did end up looking through the Python code and, in fact, the SA-LDAPSearch app has a test.py file that grabs Admin session info on the CLI.
My main immediate question is: How do I fix this error?
Secondary question out of curiosity: Why do they do this?
I appreciate any assistance! By the way, we are on Splunk Enterprise 7.2.6.
EDIT: I should add, at no point during the installation of this app does it ask for these credentials. I installed the app both from a user with admin rights and the admin account in the GUI.
EDIT 2: Some more information... the line below the event, which includes host, source, and sourcetype, also includes a "splunk_server" line that seems to only include the indexers. Would that just mean it's pulling the event from there? Or is that where the event is happening?
Sorry for so many edits, I am just posting as I notice things.