All Apps and Add-ons

Unable to get event hub creds: unauthorized, invalid issuer

undercd
Explorer

I've configured our Azure and the Azure Monitor Add-on for Splunk per the documentation, but I'm not getting any logs. I checked splunkd.log, and I'm receiving the following error:

08-23-2019 13:49:28.720 -0700 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\TA-Azure_Monitor\bin\azure_activity_log.cmd"" Modular input azure_activity_log:// AzureActivityLogs Error getting event hub creds: StatusCodeError: 401 - {"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/[redactedSubscription/TenantID?]/, https://sts.windows.net/[redactedSubscription/TenantID?]/, https://sts.windows.net/[redactedSubscription/TenantID?]/, found https://sts.windows.net/[redactedMyAzureADTenantID/."}}

I'm assuming the 3 "expected" are either subscription or tenant IDs, but they're not familiar, and I don't see them in our Azure environment anywhere. The "found" is my tenant ID, taken directly from the Azure AD properties page. Any idea how to resolve this, or even where to start, or where else I can look?

0 Karma
1 Solution

undercd
Explorer

This can be resolved by setting the environment in 3 separate files located in %SPLUNK_HOME%/etc/apps/TA-Azure_Monitor/bin/:

azure_environment.py
os.environ[‘AZURE_ENVIRONMENT’] = “<your_environment>”

For Linux servers, add the following line to the azure_activity_log.sh and azure_diagnostic_logs.sh files:
export AZURE_ENVIRONMENT=<your_environment>

For Windows servers, add the following line to azure_activity_log.cmd and azure_diagnostic_logs.cmd files:
set AZURE_ENVIRONMENT=<your_environment>

The available environments are:
AzureCloud
AzureUSGovernment
AzureChinaCloud
AzureGermanCloud

View solution in original post

0 Karma

undercd
Explorer

This can be resolved by setting the environment in 3 separate files located in %SPLUNK_HOME%/etc/apps/TA-Azure_Monitor/bin/:

azure_environment.py
os.environ[‘AZURE_ENVIRONMENT’] = “<your_environment>”

For Linux servers, add the following line to the azure_activity_log.sh and azure_diagnostic_logs.sh files:
export AZURE_ENVIRONMENT=<your_environment>

For Windows servers, add the following line to azure_activity_log.cmd and azure_diagnostic_logs.cmd files:
set AZURE_ENVIRONMENT=<your_environment>

The available environments are:
AzureCloud
AzureUSGovernment
AzureChinaCloud
AzureGermanCloud

0 Karma

undercd
Explorer

I've identified that the issue seems to be a problem with going between the Azure Commercial and Azure US Government clouds. I'm able to replicate the issue in the Azure CLI by leaving the cloud set to the default, and can resolve the error in the Azure CLI by changing to the AzureUSGovernment cloud.

I've been in contact with the primary developer, and he's able to access his govcloud using the app, but I'm still getting the same error, even after setting the environment in the app's files (azure_activity_log.sh and azure_diagnostic_logs.sh)

0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...