Splunk Enterprise

Can I integrate Azure China logs into Splunk using Addon?

alikorit
Loves-to-Learn Lots

Hello Community,

I'm currently trying to integrate Azure China logs into Splunk but facing some difficulties. I noticed that the Splunk Azure Add-On only seems to support Azure Government and Global regions. Has anyone managed to successfully add logs from Azure China into Splunk using this or another method? I'd appreciate any guidance or resources that you could provide on this topic.
Thank you.

Labels (3)
0 Karma

CyberSplunker18
Engager

@alikorit -In the last month I have spent countless hours troubleshooting this with our Azure Architects, Splunk Support, Splunk CSM Engineers, Network Engineers and Azure China Engineers after we were receiving Authentication Error for the event hubs (_ssl:1106). Nothing that we did seemed to help getting this up and running , and everyone was pointing fingers back at the networking team stating this was a networking issue due to not being able to see any traffic within or to the Azure Platform. It wasn't until recently that I was able to find the python scripts below and make the modifications that we started seeing activity both ways along with events coming into our Cloud environment.  

Before moving forward, make sure you have made the following changes to your firewall:

Allowed NameSpace traffic.
Open the ports for AMPQ traffic. (5671 & 5672)
Add the Application rule to allow AAD Traffic (https://login.partner.microsoftonline.cn)


As @tarungupta0311  mentioned, those two changes do have to be made. However if you are also trying to attach a storage account, then you also need to change the account class type to 3 there as well. You don't necessarily have to have an account secret set up, however, I did with it being an Access Token which is secret type 1.

[Storage Account]
account_name =  ******
account_secret = ******
account_secret_type = 1
account_class_type = 3

 

Other python scripts that I had to modify to get it working are as follows along with the change and string line:

 

mscs_const.py
Added in line 111

(this was completely missing)

CHINACLOUD_HOSTNAME = "management.chinacloudapi.cn" 

mcsc_storage_service.py
edited line 236 

(.net will  take you no where when trying to resolve the DNS considering its in China)

from: endpoint_suffix = "core.chinacloudapi.net"
to :     endpoint_suffix = "core.chinacloudapi.cn "

mscs_azure_event_hub.py

(this was switched around, classtype 3 being Germany NOT China)


edited line 681
from: 4: KnownAuthorities.Azure_CHINA
to:      4:KnownAuthorities.Azure_GERMANY

edited line 682
from 3: KnownAuthorities.Azure_GERMANY
to:      3: KnownAuthorities.Azure_CHINA

Once I made the last change and rebooted splunkd on the HF, data was flowing like a flood gate was opened. 

 

 

Divya6
New Member

I tried the below configuration, but it did not help. Can you suggest what could be the reason for it ? 

0 Karma

tarungupta0311
Explorer

For Event hubs

To Pull China event Hub data, Splunk Add-on for Microsoft Cloud Services requires 2 changes:-
1st * Edit $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunk_ta_mscs_rh_azureaccount.py
* Around line 88, we need to add a check for the Azure China region

if account_class_type == str(AccountClassType.GOVCLOUD_ACCOUNT):
self.cloud_environment = azure_cloud.AZURE_US_GOV_CLOUD
elif account_class_type == str(AccountClassType.CHINA_ACCOUNT):
self.cloud_environment = azure_cloud.CHINA_ACCOUNT
else:
self.cloud_environment = azure_cloud.AZURE_PUBLIC_CLOUD

2nd to map the event hubs $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local
Create “mscs_azure_accounts.conf”

[ProvideName]
account_class_type = 3
client_id = ******
client_secret = ******
tenant_id = ******

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...