Getting Data In

Microsoft Log Analytics issue: OAuth2Client:Get Token request failed

Cbr1sg
Path Finder

Hi all,

I'm trying to pull data from Azure Log Analytics workspace to Splunk. I have installed the add-on Microsoft Log Analytics Add-on (https://splunkbase.splunk.com/app/4127/) .

When I checked the log, this is what I see

2020-06-19 11:23:36,446 INFO pid=85670 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-06-19 11:23:37,263 INFO pid=85670 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-06-19 11:23:38,694 INFO pid=85670 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2020-06-19 11:23:38,694 DEBUG pid=85670 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-ms-loganalytics/s
torage/collections/config/TA_ms_loganalytics_checkpointer (body: {})
2020-06-19 11:23:38,695 INFO pid=85670 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-06-19 11:23:38,699 DEBUG pid=85670 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-ms-loganalytics/storage/collecti
ons/config/TA_ms_loganalytics_checkpointer HTTP/1.1" 200 5632
2020-06-19 11:23:38,699 DEBUG pid=85670 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005300
2020-06-19 11:23:38,700 DEBUG pid=85670 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-ms-loganalytics/s
torage/collections/config/ (body: {'offset': 0, 'count': -1, 'search': 'TA_ms_loganalytics_checkpointer'})
2020-06-19 11:23:38,702 DEBUG pid=85670 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-ms-loganalytics/storage/collecti
ons/config/?offset=0&count=-1&search=TA_ms_loganalytics_checkpointer HTTP/1.1" 200 4830
2020-06-19 11:23:38,702 DEBUG pid=85670 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.002460
2020-06-19 11:23:38,704 DEBUG pid=85670 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-ms-loganalytics/s
torage/collections/data/TA_ms_loganalytics_checkpointer/AzureLogAnalytic (body: {})
2020-06-19 11:23:38,706 DEBUG pid=85670 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-ms-loganalytics/storage/collecti
ons/data/TA_ms_loganalytics_checkpointer/AzureLogAnalytic HTTP/1.1" 404 140
2020-06-19 11:23:38,708 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - Authority:Performing instance discovery
: https://login.microsoftonline.com/0ae51e19-07c8-4e4b-bb6d-648ee58410f4
2020-06-19 11:23:38,708 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - Authority:Performing static instance di
scovery
2020-06-19 11:23:38,708 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - Authority:Authority validated via stati
c instance discovery
2020-06-19 11:23:38,709 INFO pid=85670 tid=MainThread file=log.py:info:103 | 16e5bba7-a023-431f-9813-396e814eabc9 - TokenRequest:Getting token with client cr
edentials.
2020-06-19 11:23:38,709 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - TokenRequest:No user_id passed for cach
e query
2020-06-19 11:23:38,709 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - OAuth2Client:finding with query: {"_clientId": "dce1fe27-225d-4615-bcee-d22ff8071a0f"}
2020-06-19 11:23:38,709 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - OAuth2Client:Looking for potential cache entries:
2020-06-19 11:23:38,709 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - OAuth2Client:{"_clientId": "dce1fe27-225d-4615-bcee-d22ff8071a0f"}
2020-06-19 11:23:38,709 DEBUG pid=85670 tid=MainThread file=log.py:debug:108 | 16e5bba7-a023-431f-9813-396e814eabc9 - OAuth2Client:Found 0 potential entries.
2020-06-19 11:23:38,713 DEBUG pid=85670 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): login.microsoftonline.com
2020-06-19 11:23:38,716 INFO pid=85670 tid=MainThread file=log.py:info:103 | 16e5bba7-a023-431f-9813-396e814eabc9 - OAuth2Client:Get Token request failed
2020-06-19 11:23:38,718 ERROR pid=85670 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py", line 96, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/input_module_log_analytics.py", line 49, in collect_events
token_response = context.acquire_token_with_client_credentials('https://api.loganalytics.us/', application_id, application_key)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/adal/authentication_context.py", line 160, in acquire_token_with_client_credentials
return self._acquire_token(token_func)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/adal/authentication_context.py", line 109, in _acquire_token
return token_func(self)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/adal/authentication_context.py", line 158, in token_func
return token_request.get_token_with_client_credentials(client_secret)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/adal/token_request.py", line 316, in get_token_with_client_credentials
token = self._oauth_get_token(oauth_parameters)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/adal/token_request.py", line 113, in _oauth_get_token
return client.get_token(oauth_parameters)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/adal/oauth2_client.py", line 262, in get_token
verify=self._call_context.get('verify_ssl', None))
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 110, in post
return request('post', url, data=data, json=json, **kwargs)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/adapters.py", line 487, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /0ae51e19-07c8-4e4b-bb6d-648ee58410f4/oauth2/token?api-version=1.0 (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f6e3a7aaa10>: Failed to establish a new connection: [Errno -2] Name or service not known',))

Anyone has any idea how to solve this issue? Thanks

 

Labels (1)
0 Karma

02sangeet
Engager

Hi Team,

I'm also trying to pull data from Azure Log Analytics workspace to Splunk but this add on is not working for me since after downloading it is showing loading.. (looks like no longer support)

Can any one please suggest any better way to do this integration.

0 Karma

Cbr1sg
Path Finder

At least to me, the problem is solved after I changed the redirect URI to redirectUri="https://localhost"

0 Karma

Cbr1sg
Path Finder

@jkat54Do you know how to solve it? Thanks

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma

Cbr1sg
Path Finder

Yes, my app has the redirect URL configured and also permission to Read Log Analytics data as user and access to azure log analytic workspace as reader.

The only possible issue I can think of is my re-direct URL: my local splunk server is configured as https://<fqdn>:8000

so I use that as the re-direct URL from the AAD app setup, is it correct?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...