- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Unable to get event hub creds: unauthorized, inval...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've configured our Azure and the Azure Monitor Add-on for Splunk per the documentation, but I'm not getting any logs. I checked splunkd.log, and I'm receiving the following error:
08-23-2019 13:49:28.720 -0700 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\TA-Azure_Monitor\bin\azure_activity_log.cmd"" Modular input azure_activity_log:// AzureActivityLogs Error getting event hub creds: StatusCodeError: 401 - {"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/[redactedSubscription/TenantID?]/, https://sts.windows.net/[redactedSubscription/TenantID?]/, https://sts.windows.net/[redactedSubscription/TenantID?]/, found https://sts.windows.net/[redactedMyAzureADTenantID/."}}
I'm assuming the 3 "expected" are either subscription or tenant IDs, but they're not familiar, and I don't see them in our Azure environment anywhere. The "found" is my tenant ID, taken directly from the Azure AD properties page. Any idea how to resolve this, or even where to start, or where else I can look?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This can be resolved by setting the environment in 3 separate files located in %SPLUNK_HOME%/etc/apps/TA-Azure_Monitor/bin/:
azure_environment.py
os.environ[‘AZURE_ENVIRONMENT’] = “<your_environment>”
For Linux servers, add the following line to the azure_activity_log.sh and azure_diagnostic_logs.sh files:
export AZURE_ENVIRONMENT=<your_environment>
For Windows servers, add the following line to azure_activity_log.cmd and azure_diagnostic_logs.cmd files:
set AZURE_ENVIRONMENT=<your_environment>
The available environments are:
AzureCloud
AzureUSGovernment
AzureChinaCloud
AzureGermanCloud
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This can be resolved by setting the environment in 3 separate files located in %SPLUNK_HOME%/etc/apps/TA-Azure_Monitor/bin/:
azure_environment.py
os.environ[‘AZURE_ENVIRONMENT’] = “<your_environment>”
For Linux servers, add the following line to the azure_activity_log.sh and azure_diagnostic_logs.sh files:
export AZURE_ENVIRONMENT=<your_environment>
For Windows servers, add the following line to azure_activity_log.cmd and azure_diagnostic_logs.cmd files:
set AZURE_ENVIRONMENT=<your_environment>
The available environments are:
AzureCloud
AzureUSGovernment
AzureChinaCloud
AzureGermanCloud
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've identified that the issue seems to be a problem with going between the Azure Commercial and Azure US Government clouds. I'm able to replicate the issue in the Azure CLI by leaving the cloud set to the default, and can resolve the error in the Azure CLI by changing to the AzureUSGovernment cloud.
I've been in contact with the primary developer, and he's able to access his govcloud using the app, but I'm still getting the same error, even after setting the environment in the app's files (azure_activity_log.sh and azure_diagnostic_logs.sh)
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
