Archive
Highlighted

Why am I unable to configure Microsoft OMS Modular Inputs TA?

Communicator

I'm trying to pull WAF and Server logs from our Azure OMS. The first option we're piloting to accomplish this using the OMS TA. I downloaded Microsoft OMS Modular Inputs TA and am having trouble configuring/getting it to work. I'm seeing the following errors in splunkd.log. I believe Azure permissions are proper, but that's something that been configured by the Azure Admins. Anyone know what the errors are?

@jkat54 - Any insight?

05-04-2018 10:18:40.266 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMSInputs\bin\omsinputs.py"" ERRORGet Token request returned http error: 400 and server response: {"error":"unauthorizedclient","errordescription":"AADSTS70001: Application with identifier 'AAAAAAAAAAAAAAAAAA' was not found in the directory BBBBBBBBBBBBBBBBBBBBBB\r\nTrace ID: CCCCCCCCCCCCCCCCCCCCCC\r\nCorrelation ID: DDDDDDDDDDDDDDDDDDDDDD\r\nTimestamp: 2018-05-04 17:18:39Z","errorcodes":[70001],"timestamp":"2018-05-04 17:18:39Z","traceid":"CCCCCCCCCCCCCCCCCCCCCC","correlation_id":"DDDDDDDDDDDDDDDDDDDDDD"}

05-04-2018 10:20:34.145 -0700 WARN HttpListener - Socket error from 127.0.0.1 while accessing /servicesNS/nobody/TA-OMSInputs/TAomsinputssettings/proxy: Winsock error 10054

05-04-2018 10:20:28.897 -0700 INFO ExecProcessor - Removing status item ""C:\Program Files\Splunk\etc\apps\TA-OMSInputs\bin\omsinputs.py" (omsinputs://cslpws_oms) (isModInput=yes)

Many errors such as:

05-04-2018 10:18:39.819 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMSInputs\bin\omsinputs.py"" return client.gettoken(oauthparameters)

05-04-2018 10:18:39.819 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMSInputs\bin\omsinputs.py"" File "C:\Program Files\Splunk\etc\apps\TA-OMSInputs\bin\adal\oauth2client.py", line 281, in get_token

Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

SplunkTrust
SplunkTrust

Says you’re unauthorized so permissions aren’t right.

Send this link to the admins:
https://dev.loganalytics.io/documentation/1-Tutorials/ARM-API

Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

Communicator

Thank you @jkat54, this worked! Well at least partially... I was able to query OMS using the APIs in Postman, but in Splunk, I'm seeing the following errors.

05-18-2018 11:37:33.736 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" ERRORlocal variable 'data' referenced before assignment
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" UnboundLocalError: local variable 'data' referenced before assignment
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""     for data_value in data["value"]:
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""   File "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\input_module_oms_inputs.py", line 106, in collect_events
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""     input_module.collect_events(self, ew)
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""   File "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py", line 96, in collect_events
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""     self.collect_events(ew)
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""   File "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\ta_oms_inputs\modinput_wrapper\base_modinput.py", line 127, in stream_events
05-18-2018 11:37:33.221 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" Traceback (most recent call last):
05-18-2018 11:34:33.802 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" ERRORlocal variable 'data' referenced before assignment
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" UnboundLocalError: local variable 'data' referenced before assignment
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""     for data_value in data["value"]:
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""   File "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\input_module_oms_inputs.py", line 106, in collect_events
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""     input_module.collect_events(self, ew)
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""   File "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py", line 96, in collect_events
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""     self.collect_events(ew)
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py""   File "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\ta_oms_inputs\modinput_wrapper\base_modinput.py", line 127, in stream_events
05-18-2018 11:34:33.301 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" Traceback (most recent call last):
05-18-2018 11:33:34.349 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" ERRORlocal variable 'data' referenced before assignment
05-18-2018 11:33:34.349 -0700 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py"" UnboundLocalError: local variable 'data' referenced before assignment

Using Postman to call the Log Analytics API, it required tenantid, clientid(app id), redirecturi(http://localhost:3000/login), resource(https://api.loganalytics.io), clientsecret(app key), and workspace_id. ** Your app is asking for **Resource Group, Workspace ID, Subscription ID, Tenant ID, Application ID, and Application Key. Could this be the difference, or is the errors mentioned above a separate issue?

@jkat54

Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

SplunkTrust
SplunkTrust

we found that @dpanych was using a newer query language that isnt supported by the API version that this uses.

We also found we had to add the following to the top of /bin/modularinputoms_inputs.py

  from  splunklib.modularinput import *

The query we were able to get working was "Type=Alert".

View solution in original post

Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

SplunkTrust
SplunkTrust

APi.loganalytics.io is called the directAPI.

You access it a bit differently from the Azure API this app uses.

See this documentation for getting the necessary details:

https://dev.loganalytics.io/documentation/1-Tutorials/ARM-API

0 Karma
Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

Communicator

@jkat54 Are the error message I mentioned before relevant to the link you posted? Errors seem to be referencing Python initialization problems.

0 Karma
Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

SplunkTrust
SplunkTrust

Yes. If you don’t provide the correct access the app fails to pull data and you’ll see this error message.

0 Karma
Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

SplunkTrust
SplunkTrust

Look at it this way api.loganalytics.io = endpoints you use if your app resides inside of an azure region.

the endpoints this app uses are for accessing OMS from outside of azure. A different token and api is required as such.

0 Karma
Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

Communicator

@jkat54 I tried using the ARM API with Postman and it worked. I noticed the ARM API doesn't require workspace ID, but it does require workspace name. I tried putting the name into the Splunk Workspace ID field, that didn't work either. Any other suggestions? Access from both APIs seem to work as I'm able to successfully return data with Postman.. I don't have direct access to Azure so I've been working with the Admins (which is a PITA).

0 Karma
Highlighted

Re: Why am I unable to configure Microsoft OMS Modular Inputs TA?

SplunkTrust
SplunkTrust

So have you been able to provide everything my app asks for to the app?

Resource Group, Workspace ID, Subscription ID, Tenant ID, Application ID, and Application Key.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.