500 and 401 errors on messagetrace app.

Esky73 · ‎07-02-2019

any idea why we would get these 500 and 401 errors ?

29/06/2019
18:14:40.818    
06-29-2019 18:14:40.818 +1000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTP Request error: 500 Server Error: Internal Server Error for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...;
host =  HOSTNAME source =   /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
28/06/2019
11:58:24.288    
06-28-2019 11:58:24.288 +1000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...;
host =  HOSTNAME source =   /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd

amitm05 · ‎07-02-2019

@Esky73
So these are bad and unauthorized requests from splunk O365 TA. There can be multiple reasons for these, but have you made sure for your Connection into Office365.
This add-on makes use of the Office 365 Reporting Web Service (https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984...). This should be easy to test this web service outside of Splunk using cURL or Postman.

Let me know. Thanks

500 and 401 errors on messagetrace app.

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!