Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I solve "Listen Claim" issue when getting Event Hub data through Splunk Add-on for Microsoft Cloud Services?

andrewtrobec
Motivator
‎05-27-2021 08:38 AM

Hello!

I am working with version 4.1.3 (latest) of the Splunk Add-on for Microsoft Cloud Services that is installed on Splunk Enterprise 8.0.5.  My objective is to pull data from an Azure Event Hub.  I have configured an Azure App Account as well as an Azure Event Hub input, but when enabled the data does not come through.  Instead I get an unauthorized access error stating that listen claims are required:

2021-05-26 13:40:40,305 level=WARNING pid=15598 tid=Thread-1 logger=uamqp.receiver pos=receiver.py:get_state:270 | LinkDetach("ErrorCodes.UnauthorizedAccess: Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://<namespace>.servicebus.windows.net/<event_hub_name>/consumergroups/$default/partitions/0'. TrackingId:786bfa2366b4413aa87b20c898f7f316_G38, SystemTracker:gateway5, Timestamp:2021-05-26T13:40:40")

I referred to the troubleshooting section of the manual, but it only says to ensure that all IDs are correct, which I checked and rechecked numerous times.  The correct claims are also configured but I still run into the same issue.  I also found this thread which had the issue, but the resolution does not apply to my case.

How can I get around this issue?

Thank you and best regards,

Andrew

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunk219783
Path Finder
‎06-08-2021 09:20 AM

Hey, I just figured this out and wanted to share.


Assuming you're using an Application Registration, this is what worked for me based on this guide:

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-porta...

Go to the Subscription in Azure > Access Control (IAM) > Add Role Assignment > Assign the "Azure Event Hubs Data Receiver" role to your Application.

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

pratik_18
Explorer
‎07-07-2021 04:23 AM

can some one help with this issue, I am also facing the same issue while transitioning from the old add-on to new add-on.

0 Karma
Reply
Solved! Jump to solution
Solution

splunk219783
Path Finder
‎06-08-2021 09:20 AM

Hey, I just figured this out and wanted to share.


Assuming you're using an Application Registration, this is what worked for me based on this guide:

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-porta...

Go to the Subscription in Azure > Access Control (IAM) > Add Role Assignment > Assign the "Azure Event Hubs Data Receiver" role to your Application.

 

Tags (1)
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎06-09-2021 10:13 AM

@splunk219783 Thanks for contributing!  I found the same solution after checking and rechecking.  I now have another problem, but I'm accepting your answer as it is relevant to the question.

Out of curiosity: did your connector start working once you made the role change?  I am now facing a new error:

EventProcessor instance '<ID>' of eventhub '<eventhub name>' partition '0' consumer group '$Default'. An error occurred while receiving. The exception is KeyError('records').

Did you get something similar?

Thanks!

Andrew

Reply
Solved! Jump to solution

pratik_18
Explorer
‎07-07-2021 04:23 AM

can some one help with this issue, I am also facing the same issue while transitioning from the old add-on to new add-on.

0 Karma
Reply
Solved! Jump to solution

akriti
Explorer
‎08-17-2021 08:34 AM

Hi @pratik_18 ,

Were you able to find the solution for the KeyError('records') ? I'm also facing the same issue with the Microsoft Cloud Services Addon.

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎07-08-2021 11:24 AM

Hey @pratik_18 , if you're facing the same KeyError('records') that I have, there's a new release of the connector that's due by the end of the month.  Should iron out a few bugs...

0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎06-09-2021 10:23 AM

Hey Andrew, on one of our subscriptions I did receive an error.  It was different than yours though, it seemed to be because I had the old Azure app and new Cloud services app running at the same time.  When I disabled the old input it began working.

It then worked flawlessly for ~4 more event hub inputs.  I'm honestly not sure what your error would mean.

0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎06-08-2021 07:13 AM

I have the exact same issue after transitioning from the Microsoft Azure Add-on for Splunk to Splunk Add-on for Microsoft Cloud Services.

 

The settings have changed slightly, but this worked just fine in the old Azure app.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...