Getting Data In

Splunk Azure Storage Account not connecting

LinghGroove
Explorer

Hello,

I'm having troubles connection a Splunk instance with an Azure Storage Account. After the account was set i have configured my Splunk instance to connect with the Storage Account using the Splunk Add-on for Microsoft Cloud Services. 

When i enter the Account Name and the Account Secret it gives this error:
App-Err.PNG
This was configured from "Configuration" > "Azure Storage Account" > "Add".
I have controlled the Account Name and the Access Key, they are correct. Looking at the logs this was the only noticeble error that pops up:

 

log_level=ERROR pid=3270316 tid=MainThread file=storageaccount.py:validate:97 | Error <urllib3.connection.HTTPSConnection object at 0x7e14a4a8e940>: Failed to establish a new connection: [Errno -2] Name or service not known while verifying the credentials: Traceback (most recent call last):

 

other than this i saw some http requests with 502 error on the splunkd.log but i don't know if it is related. 
I have checked to see if the Splunk machine could reach the azure resourse and it can. It can also do api calls correctly. 
At this point i have no idea on what could cause this problem. 
Do you guys have any idea on what controls i could do to see where is the problem?
Did  i miss some configurations? Could it be some problems on the Azure side? If yes what controls should i do? 
(used the ufficial guide https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Configurestorageaccount/)

Thanks a lot in advance for your help. 
 

Labels (3)
Tags (1)
0 Karma

sainag_splunk
Splunk Employee
Splunk Employee

Hi! It looks like there's an authentication failure on the Azure side. You need to assign the correct permissions to the Azure app.

Before proceeding on configuring https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/ConfigureappinAzureAD

ensure your storage account token (SAS) has the following privileges:

Use either Access key OR Shared Access Signature with:

  • Allowed services: Blob, Table
  • Allowed resource types: Service, Container, Object
  • Allowed permissions: Read, List



Please UpVote if this is helpful.

 
 
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...