Hello all,
Myself and My colleagues are attempting to set up the Splunk Add-on for Microsoft Cloud Services to pull down NSG Flow logs out of a Network Watcher an into Splunk.
We have been following the "Splunking Microsoft Azure Network Watcher Data" tutorial on the "TIPS & TRICKS" section of the Splunk Blog.
**Azure Storage account** has been setup to the best of our understanding using an Access Key.
**Azure Storage Blob** has been setup as per the tutorial (The important part being Container Name : "insights-logs-networksecuritygroupflowevent")
When this is ran we get the following error and are having difficulties trying to establish what the cause may be:
> YYYY-MM-dd hh:mm:ss,xxx +0000 log_level=ERROR, pid=xxxxx, tid=Thread-34, file=mscs_storage_dispatcher.py, func_name=_dispatch_storage_list, code_line_no=86 | [stanza_name="" account_name="" container_name="insights-logs-networksecuritygroupflowevent" blob_list=""] Exception@_dispatch_tables() ,error_message=ConnectionError: HTTPSConnectionPool(host='.blob.core.windows.net', port=443): Max retries exceeded with url: /insights-logs-networksecuritygroupflowevent?restype=container&comp=list (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 82, in _dispatch_storage_list
self._do_dispatch()
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 93, in _do_dispatch
self._dispatch_tasks(patterns)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 115, in _dispatch_tasks
next_marker, patterns)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_blob_dispatcher.py", line 92, in _get_storage_info_list
marker=marker)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/blob/baseblobservice.py", line 1177, in list_blobs
resp = self._list_blobs(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/blob/baseblobservice.py", line 1247, in _list_blobs
response = self._perform_request(request)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/storageclient.py", line 186, in _perform_request
raise AzureException('{}: {}'.format(ex.__class__.__name__, ex.args[0]))
AzureException: ConnectionError: HTTPSConnectionPool(host='.blob.core.windows.net', port=443): Max retries exceeded with url: /insights-logs-networksecuritygroupflowevent?restype=container&comp=list (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))
We are able to Curl from the Heavy Forwarder the app is installed on to the storage URL's.
We are stuck trying to determine if the problems due to configuration within Splunk or in the cloud or somewhere in-between.
If anyone could offer any suggestions on lines of investigation or if they have experienced anything similar before, we would be grateful.
Many Thanks.
↧