Hello,
the version 2.01 is the only one I installed. I configured signins and audit and the data started flowing. 12 hours after, signin source started returning 403 forbiden while audit source continued to work.
tried to figure out what the problem was. Decided to wipe everything off and to start from scratch to configure only signins logs and it stills not work.
I have no clue where to go from here, anyone with similar experiences ?
Not sure where to look for help. Here's the full error:
2019-11-12 18:02:58,198 ERROR pid=66637 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 84, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 77, in collect_events
sign_ins = azutils.get_items(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 33, in get_items
raise e
HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
The same issue came back after a week without change to the setup.
Update to 2.02 fixed the problem.