Splunk Add-on for Microsoft Office 365 Graph API and CAS input does not work on Windows?

melvinfuglem — Thu, 09 Feb 2023 19:47:37 GMT

I am trying to collect data from Azure Graph, and CAS API using the Splunk Add-on for Microsoft Office 365 app. I tried this first on a windows server and got this error:

2022-02-03 11:34:12,218 level=INFO pid=7340 tid=MainThread logger=splunksdc.collector pos=collector.py:run:251 | | message="Modular input started."
2022-02-03 11:34:12,508 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.settings pos=settings.py:load:36 | datainput=b'testsignins' start_time=1643884452 | message="Load proxy settings success." enabled=False host=b'' port=b'' username=b''
2022-02-03 11:34:12,802 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get_v2_token_by_psk:160 | datainput=b'testsignins' start_time=1643884452 | message="Acquire access token success." expires_on=1643888051.8024929
2022-02-03 11:34:13,806 level=DEBUG pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:102 | datainput=b'testsignins' start_time=1643884452 | message="Start Retrieving Graph Api Audit Messages." timestamp=1643884453.8066385 report=b'signIns'
2022-02-03 11:34:13,806 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:462 | datainput=b'testsignins' start_time=1643884452 | message="Calling Microsoft Graph API." url=b'https://graph.microsoft.com/v1.0/auditLogs/signIns' params=None
2022-02-03 11:34:21,628 level=ERROR pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:118 | datainput=b'testsignins' start_time=1643884452 | message="Error retrieving Cloud Application Security messages." exception=Invalid format string
2022-02-03 11:34:21,628 level=ERROR pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=utils.py:wrapper:72 | datainput=b'testsignins' start_time=1643884452 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunksdc\utils.py", line 70, in wrapper
return func(*args, **kwargs)
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 235, in run
return consumer.run()
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 114, in run
self._ingest(message, source)
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 125, in _ingest
expiration = int(message.update_time.strftime('%s'))
ValueError: Invalid format string
2022-02-03 11:34:21,632 level=INFO pid=7340 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."

Authenication seems to be working but it looks like it returns an unexpected string value it can't handle. I tested the azure app and CAS token using powershell and no issues. So last ditch effort was to try on another server. This happend to be a Linux server. When i set the app up there everything worked without issues. This made me think that the Graph and CAS inputs does not work on Windows servers since this was the only difference. So i tested on an another windows server and got the same error. So I wondered if anyone else here has the same result as me, or has managed to get this running on a windows server? The app in splunk says it is platform independent, so it should run on windows to.

Re: Splunk Add-on for Microsoft Office 365 Graph API and CAS input does not work on Windows

jaredjennings — Thu, 09 Feb 2023 18:59:52 GMT

That is a portability bug in the Python code of the add-on.

The right way to proceed is to seek updates for this add-on, and if you are already at the latest version, file a Splunk support ticket with the below information, since the add-on is Splunk Supported.

Details of the problem:

The format codes you can pass to a Python datetime object's strftime method (that "work on all platforms with a standard C implementation") are documented at https://docs.python.org/3/library/datetime.html?highlight=strftime#strftime-strptime-behavior. %s is not one of them. It's a GNU extension to the C89 standard (compare the Python docs with strftime(3) from Debian 8.1.0). This means %s can be used where Python is built on top of the GNU C library (e.g. Red Hat Enterprise Linux), but cannot be used elsewhere (e.g., Windows). That's why the exception "Invalid format string" was raised.

%s is supposed to produce the number of seconds since 1970-01-01 00:00:00 +0000 (UTC). Python datetime objects can do this using their timestamp method, which appears to be equally available on all platforms.

So, line 125 of splunk_ta_o365/bin/splunk_ta_o365/modinputs/graph_api.py should perhaps say:

expiration = int(message.update_time.timestamp())

Some additional code may be necessary to treat timezones properly.

topic Splunk Add-on for Microsoft Office 365 Graph API and CAS input does not work on Windows? in All Apps and Add-ons

Splunk Add-on for Microsoft Office 365 Graph API and CAS input does not work on Windows?

Re: Splunk Add-on for Microsoft Office 365 Graph API and CAS input does not work on Windows