@alikorit -In the last month I have spent countless hours troubleshooting this with our Azure Architects, Splunk Support, Splunk CSM Engineers, Network Engineers and Azure China Engineers after we we...
See more...
@alikorit -In the last month I have spent countless hours troubleshooting this with our Azure Architects, Splunk Support, Splunk CSM Engineers, Network Engineers and Azure China Engineers after we were receiving Authentication Error for the event hubs (_ssl:1106). Nothing that we did seemed to help getting this up and running , and everyone was pointing fingers back at the networking team stating this was a networking issue due to not being able to see any traffic within or to the Azure Platform. It wasn't until recently that I was able to find the python scripts below and make the modifications that we started seeing activity both ways along with events coming into our Cloud environment. Before moving forward, make sure you have made the following changes to your firewall: Allowed NameSpace traffic. Open the ports for AMPQ traffic. (5671 & 5672) Add the Application rule to allow AAD Traffic (https://login.partner.microsoftonline.cn) As @tarungupta0311 mentioned, those two changes do have to be made. However if you are also trying to attach a storage account, then you also need to change the account class type to 3 there as well. You don't necessarily have to have an account secret set up, however, I did with it being an Access Token which is secret type 1. [Storage Account] account_name = ****** account_secret = ****** account_secret_type = 1 account_class_type = 3 Other python scripts that I had to modify to get it working are as follows along with the change and string line: mscs_const.py Added in line 111 (this was completely missing) CHINACLOUD_HOSTNAME = "management.chinacloudapi.cn" mcsc_storage_service.py edited line 236 (.net will take you no where when trying to resolve the DNS considering its in China) from: endpoint_suffix = "core.chinacloudapi.net" to : endpoint_suffix = "core.chinacloudapi.cn " mscs_azure_event_hub.py (this was switched around, classtype 3 being Germany NOT China) edited line 681 from: 4: KnownAuthorities.Azure_CHINA to: 4:KnownAuthorities.Azure_GERMANY edited line 682 from 3: KnownAuthorities.Azure_GERMANY to: 3: KnownAuthorities.Azure_CHINA Once I made the last change and rebooted splunkd on the HF, data was flowing like a flood gate was opened.