Getting Data In

Issue setting up Microsoft OMS Modular Inputs TA

travis_lelle
Explorer

I'm trying to setup the TA, and have filled out all of the required fields (information taken from an azure subscription), and we aren't pulling data, but are seeing the following error messages occur

01-24-2018 14:58:48.386 +0000 ERROR ExecProcessor - message from "python /opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORacquire_token_with_client_credentials() takes exactly 4 arguments (5 given)

2018-01-24 15:00:00,624 ERROR pid=115140 tid=MainThread file=configuration_check.py:run:164 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input="/opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" stanza="oms_inputs://oms_splunk" status="exited with code 1""

Any help would be appreciated. @jkat54

jkat54
SplunkTrust
SplunkTrust

This app has been deprecated and a new log analytics app has replaced it. Please give the new app a try:

https://splunkbase.splunk.com/app/4127/

All previously known bugs have been addressed.

0 Karma

jkat54
SplunkTrust
SplunkTrust

@luke75 Did the upgrade solve your problem?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you please upgrade to the latest version of the app (v1.2) and let me know if the problem is resolved?

https://splunkbase.splunk.com/app/3764

Thanks,
JKat

0 Karma

travis_lelle
Explorer

Looks like I'm still receiving the following error:

03-07-2018 19:32:48.346 +0000 ERROR ExecProcessor - message from "python /opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORGet Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS70001: Application with identifier '*' was not found in the directory a74cd446-d03c-4d05-afea-429e248a5fc4\r\nTrace ID: b8f81f70-b64b-42ad-b497-8237e9e71000\r\nCorrelation ID: f3d3d29d-cb52-4a91-8cb8-fbabdfc75cfb\r\nTimestamp: 2018-03-07 19:32:48Z","error_codes":[70001],"timestamp":"2018-03-07 19:32:48Z","trace_id":"b8f81f70-b64b-42ad-b497-8237e9e71000","correlation_id":"f3d3d29d-cb52-4a91-8cb8-fbabdfc75cfb"}
0 Karma

luke75
Explorer

Hello Travis.

I am not 100% sure whether this is your problem, but from the error message provided it looks like you have used "*" as "Application ID" in the Splunk Input properties. This will not work for sure. Application ID and Application Key are used to authorize Splunk in Azure. You have to obtain their values in the properties of the Splunk application you have registered in Azure. Please find the step-by-step guide for registering Splunk in Azure and setting up inputs here: https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html .

Regards
Lukas

0 Karma

jkat54
SplunkTrust
SplunkTrust

I agree with Lukas. This error message is saying you used * as your application Id. It should be something different,

0 Karma

jkat54
SplunkTrust
SplunkTrust

Please run this search and let me know the results:

index=_internal sourcetype=splunk_python OR (sourcetype=splunkd AND oms_inputs.py)

0 Karma

jkat54
SplunkTrust
SplunkTrust

I may have found a bug.

Can you try editing bin/oms_inputs.py lines 140 and 141?

Change:

        inputname = input_name.replace("://","_")
        token_response = context.acquire_token_with_client_credentials('https://management.core.windows.net/', application_id, inputname, application_key)

To:

        token_response = context.acquire_token_with_client_credentials('https://management.core.windows.net/', application_id, application_key)

Then save the oms_inputs.py and see if the error goes away.

0 Karma

luke75
Explorer

It looks like I made some error while modifying the input file, because I see the following in the Splunk log now:

03-01-2018 08:28:51.341 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORlocal variable 'data' referenced before assignment host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
03-01-2018 08:28:19.588 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd

@jkat54, could you please share the complete input file? Thank you very much for any help or advice!

0 Karma

travis_lelle
Explorer

It looks like we're getting closer. The new error I'm getting is:

03-02-2018 15:41:20.649 +0000 ERROR ExecProcessor - message from "python /opt/app/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORGet Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS70001: Application with identifier '*' was not found in the directory a74cd446-d03c-4d05-afea-429e248a5fc4\r\nTrace ID: e68d1ee2-afbd-4e6c-b520-8fa55f020a00\r\nCorrelation ID: 84105cb3-2af7-4d39-9833-5090338c8a08\r\nTimestamp: 2018-03-02 15:41:20Z","error_codes":[70001],"timestamp":"2018-03-02 15:41:20Z","trace_id":"e68d1ee2-afbd-4e6c-b520-8fa55f020a00","correlation_id":"84105cb3-2af7-4d39-9833-5090338c8a08"}

I think the reason may be because of asterisks in the Resource Group, Application ID, and Application Key. Can you provide some guidance on what might typically go into these fields. Pardon my lack of knowledge with OMS, I'm just trying to get the data into Splunk for another party.

0 Karma

luke75
Explorer

It looks like I made some error while modifying the input file, because I see the following in the Splunk log now:

03-01-2018 08:28:51.341 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORlocal variable 'data' referenced before assignment
host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
03-01-2018 08:28:19.588 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py
host = qa-splutil-lx01 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd

@jkat54, could you please share the complete input file? Thank you very much for any help or advice!

0 Karma

luke75
Explorer

I have the same problem with the "Microsoft OMS Modular Inputs TA" application.
Here is the error from the Splunk server log:

02-20-2018 11:26:20.015 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORacquire_token_with_client_credentials() takes exactly 4 arguments (5 given)

Besides that, I only see the following lines when searching for "TA-OMS_Inputs":

02-20-2018 11:25:47.960 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py

I have reviewed "Tennant ID", "Application ID" and "Application Key" used in the Splunk input configuration (in both the UI and inputs.conf), and these values seem to be OK - they do not contain spaces or hidden characters.

Is there any way to get more verbose log, or to find out what exactly does the application send to Azure/OMS?

Any help or suggestion would be appreciated.
Many thanks, @jkat54 and anyone else willing to help!

,@jkat54,

I have the same problem with the "Microsoft OMS Modular Inputs TA" application. Here is the error from the Splunk server log:

02-20-2018 11:26:20.015 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-OMS_Inputs/bin/oms_inputs.py" ERRORacquire_token_with_client_credentials() takes exactly 4 arguments (5 given)

I have reviewed "Tennant ID", "Application ID" and "Application Key" used in the Splunk input configuration (in both the UI and inputs.conf), and these values seem to be OK - they do not contain spaces or hidden characters.

Is there any way to get more verbose log, or to find out what exactly does the application send to Azure/OMS?

Any help would be appreciated. Many thanks!

jkat54
SplunkTrust
SplunkTrust

@travis, Please run this search and let me know the results:

index=_internal sourcetype=splunk_python OR (sourcetype=splunkd AND oms_inputs.py)

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...