All Apps and Add-ons

Splunk Connect for Zoom

Influencer

Is anyone able to pull logs using Splunk Connect for Zoom. I have installed the app and configured as per documentation , also have created webhook only app in Zoom and subscribed the events for Splunk endpoint, I still cannot see anything in my index. Please let me know if it is working for you.

0 Karma
1 Solution

Influencer

The Splunk connect for Zoom, had a bug which creates a password.conf file in your search app causing errors for reading password in logs. We opened a ticket with Splunk and they are working on fix, updated version shall soon be released. Hence closing this thread.

View solution in original post

0 Karma

Influencer

The Splunk connect for Zoom, had a bug which creates a password.conf file in your search app causing errors for reading password in logs. We opened a ticket with Splunk and they are working on fix, updated version shall soon be released. Hence closing this thread.

View solution in original post

0 Karma

Path Finder

Hi @Vijeta , Could you or someone advise what was the fix? Still seeing Splunk Connect for Zoom Version 1.0.1 April 23, 2020.

Anyone has to allow Zoom events traffic from https://marketplace.zoom.us/user/logs to be sent to one's Internal Splunk HF running Splunk connect for Zoom listening on 4443?

Thanks

0 Karma

Influencer

Hi @lim2 

The issue which I was seeing is when configuring Data inputs for Zoom on Splunk Heavy forwarder UI, it was creating passwords.conf file in the et/apps/search folder instead of Zoom app. After raising the ticket with Splunk, they provided with an updated python script to be used in the Zoom app instead of previous one. Post the update the issue related to file creation in search app was not there, but I am still getting 500 error from the Zoom web hook. This can be seen in marketplace.zoom.us under Webhook logs, it shows all the responses but with status code 500, so nothing gets ingested to Splunk. I have opened ticket with Zoom but haven't received any response. It does not seem to be a Splunk issue any more but may be a firewall issue or something not sure.

I would suggest you to open support ticket with Splunk, and they can provide you updated python or look into your issue.

 

 

New Member

Hi @Vijeta and @lim2 

I am also seeing error 500 on my ZOOM Splunk Webhook. did you get any further on this one? I am not seeing any data ingested. However I see in the log the password issue but also the following 

 

TcpInputProc - Message rejected. Received unexpected message of size=369296128 bytes from src=3.211.241.114:36520 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

 

These started happening as soon as I opened up the port, Is there a place I should be putting a token key?

0 Karma

Path Finder

Hi @pastorlibre  The zoom admin pointed the "Event Notification Endpoint URL" to Splunk server DNS/Load balancer running "Splunk Connect for Zoom" on tcp 4443 and after granting network access to https://marketplace.zoom.us/docs/api-reference/webhook-reference#ip-addresses,

started to see series="zoom:webhook" events in metrics.log and sourcetype=zoom:webhook was searchable.

But now from splunkd.log, not seeing the http_500 code or the large +300MB. But seeing lots of:

07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.93 - - [17/Jul/2020 14:35:45] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.211.241.118 - - [17/Jul/2020 14:35:45] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.92 - - [17/Jul/2020 14:35:46] "POST / HTTP/1.1" 200 -
07-17-2020 14:35:46.095 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_Connect_zoom/bin/zoom_input.py" 3.235.69.93 - - [17/Jul/2020 14:35:46] "POST / HTTP/1.1" 200 -
I will open case with Splunk support.

0 Karma

Path Finder

is splunk listening on the port? use

netstat -an | grep [whatever port you
specified]

In zoom you can check the call logs:
https://marketplace.zoom.us/user/logs

0 Karma

Contributor

Are you seeing any error messages in yiur splunkd logs for it? They can help you to get to the solution.

0 Karma

Influencer

The only WARN message I see is "Socket error from while accessing /services/storage/passwords/..". There is no passwords.conf in this app folder although it gets created under search app, which I don't understand why.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!