Hello Community,
I'm currently trying to integrate Azure China logs into Splunk but facing some difficulties. I noticed that the Splunk Azure Add-On only seems to support Azure Government and Global regions. Has anyone managed to successfully add logs from Azure China into Splunk using this or another method? I'd appreciate any guidance or resources that you could provide on this topic.
Thank you.
@alikorit -In the last month I have spent countless hours troubleshooting this with our Azure Architects, Splunk Support, Splunk CSM Engineers, Network Engineers and Azure China Engineers after we were receiving Authentication Error for the event hubs (_ssl:1106). Nothing that we did seemed to help getting this up and running , and everyone was pointing fingers back at the networking team stating this was a networking issue due to not being able to see any traffic within or to the Azure Platform. It wasn't until recently that I was able to find the python scripts below and make the modifications that we started seeing activity both ways along with events coming into our Cloud environment.
Before moving forward, make sure you have made the following changes to your firewall:
Allowed NameSpace traffic.
Open the ports for AMPQ traffic. (5671 & 5672)
Add the Application rule to allow AAD Traffic (https://login.partner.microsoftonline.cn)
As @tarungupta0311 mentioned, those two changes do have to be made. However if you are also trying to attach a storage account, then you also need to change the account class type to 3 there as well. You don't necessarily have to have an account secret set up, however, I did with it being an Access Token which is secret type 1.
[Storage Account]
account_name = ******
account_secret = ******
account_secret_type = 1
account_class_type = 3
Other python scripts that I had to modify to get it working are as follows along with the change and string line:
mscs_const.py
Added in line 111
(this was completely missing)
CHINACLOUD_HOSTNAME = "management.chinacloudapi.cn"
mcsc_storage_service.py
edited line 236
(.net will take you no where when trying to resolve the DNS considering its in China)
from: endpoint_suffix = "core.chinacloudapi.net"
to : endpoint_suffix = "core.chinacloudapi.cn "
mscs_azure_event_hub.py
(this was switched around, classtype 3 being Germany NOT China)
edited line 681
from: 4: KnownAuthorities.Azure_CHINA
to: 4:KnownAuthorities.Azure_GERMANY
edited line 682
from 3: KnownAuthorities.Azure_GERMANY
to: 3: KnownAuthorities.Azure_CHINA
Once I made the last change and rebooted splunkd on the HF, data was flowing like a flood gate was opened.
I tried the below configuration, but it did not help. Can you suggest what could be the reason for it ?
For Event hubs
To Pull China event Hub data, Splunk Add-on for Microsoft Cloud Services requires 2 changes:-
1st * Edit $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs_rh_azureaccount.py
* Around line 88, we need to add a check for the Azure China region
if account_class_type == str(AccountClassType.GOVCLOUD_ACCOUNT):
self.cloud_environment = azure_cloud.AZURE_US_GOV_CLOUD
elif account_class_type == str(AccountClassType.CHINA_ACCOUNT):
self.cloud_environment = azure_cloud.CHINA_ACCOUNT
else:
self.cloud_environment = azure_cloud.AZURE_PUBLIC_CLOUD
2nd to map the event hubs $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local
Create “mscs_azure_accounts.conf”
[ProvideName]
account_class_type = 3
client_id = ******
client_secret = ******
tenant_id = ******