All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Azure Siginin logs are not ingested

subbarayudu
New Member
‎08-22-2019 04:42 AM

Hi Team,

We are using version 1.1.0, From June3oth,noticed Azure_Signin logs are not being collected. Below is the ta log details. We even to deleted and re-added the configuration, Kindly assist.

2019-08-22 11:36:14,637 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:16,956 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=f5970c446f59894f9d72c2a3e2705175_124000 HTTP/1.1" 200 None
2019-08-22 11:36:17,170 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:17,172 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:19,719 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=92c340710daf7f40e60c3550bd8233e7_125000 HTTP/1.1" 200 None
2019-08-22 11:36:19,938 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:19,939 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:22,286 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=17b14e4beabf347dd49018247b74f648_126000 HTTP/1.1" 200 None
2019-08-22 11:36:22,513 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:22,516 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:24,854 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=767e337c1b3b9e1e4bf6281eb82d2433_127000 HTTP/1.1" 200 None
2019-08-22 11:36:25,070 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:25,072 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:27,411 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=a1283295e7d3d2bfae9aac1574e02758_128000 HTTP/1.1" 200 None
2019-08-22 11:36:28,610 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:28,611 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com

Thanks,
Subbu

0 Karma
Reply

jaxjohnny2000
Builder
‎10-11-2019 01:10 PM

That app was just released version 2.0.0. Try to install this on a fresh heavy forwarder first before upgrading. While this app should upgrade just fine, I say a fresh machine in case you have other inputs. This new version has a ton of new features. So, test this out and then backup the older version first.

Here’s an easy way to test outside of Splunk:

https://developer.microsoft.com/en-us/graph/graph-explorer
• Sign in
• Paste your URL without the skiptoken
o https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
• Click Run Query

This output helped me find my permissions issue

But upgrade for sure to version 2.0.0

0 Karma
Reply

subbarayudu
New Member
‎08-22-2019 10:48 AM

Hi Rick,

Here is the app details, Just now we upgraded the app as well, Still issue exists.

https://splunkbase.splunk.com/app/3757/

Thanks,
Subbu

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2019 06:11 AM

Which add-on are you using to collect the Azure logs?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...