Hi @Vijeta , Could you or someone advise what was the fix? Still seeing Splunk Connect for Zoom Version 1.0.1 April 23, 2020.

Anyone has to allow Zoom events traffic from https://marketplace.zoom.us/user/logs to be sent to one's Internal Splunk HF running Splunk connect for Zoom listening on 4443?

Thanks

Hi @lim2 

The issue which I was seeing is when configuring Data inputs for Zoom on Splunk Heavy forwarder UI, it was creating passwords.conf file in the et/apps/search folder instead of Zoom app. After raising the ticket with Splunk, they provided with an updated python script to be used in the Zoom app instead of previous one. Post the update the issue related to file creation in search app was not there, but I am still getting 500 error from the Zoom web hook. This can be seen in marketplace.zoom.us under Webhook logs, it shows all the responses but with status code 500, so nothing gets ingested to Splunk. I have opened ticket with Zoom but haven't received any response. It does not seem to be a Splunk issue any more but may be a firewall issue or something not sure.

I would suggest you to open support ticket with Splunk, and they can provide you updated python or look into your issue.

Hi @Vijeta and @lim2 

I am also seeing error 500 on my ZOOM Splunk Webhook. did you get any further on this one? I am not seeing any data ingested. However I see in the log the password issue but also the following 

TcpInputProc - Message rejected. Received unexpected message of size=369296128 bytes from src=3.211.241.114:36520 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

These started happening as soon as I opened up the port, Is there a place I should be putting a token key?

Hi @pastorlibre  The zoom admin pointed the "Event Notification Endpoint URL" to Splunk server DNS/Load balancer running "Splunk Connect for Zoom" on tcp 4443 and after granting network access to https://marketplace.zoom.us/docs/api-reference/webhook-reference#ip-addresses,

started to see series="zoom:webhook" events in metrics.log and sourcetype=zoom:webhook was searchable.

But now from splunkd.log, not seeing the http_500 code or the large +300MB. But seeing lots of:

07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.93 - - [17/Jul/2020 14:35:45] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.211.241.118 - - [17/Jul/2020 14:35:45] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.92 - - [17/Jul/2020 14:35:46] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.93 - - [17/Jul/2020 14:35:46] "POST / HTTP/1.1" 200 -
I will open case with Splunk support.

The only WARN message I see is "Socket error from while accessing /services/storage/passwords/..". There is no passwords.conf in this app folder although it gets created under search app, which I don't understand why.