All Apps and Add-ons

Azure Siginin logs are not ingested

New Member

Hi Team,

We are using version 1.1.0, From June3oth,noticed Azure_Signin logs are not being collected. Below is the ta log details. We even to deleted and re-added the configuration, Kindly assist.

2019-08-22 11:36:14,637 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:16,956 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=f5970c446f59894f9d72c2a3e2705175_124000 HTTP/1.1" 200 None
2019-08-22 11:36:17,170 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:17,172 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:19,719 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=92c340710daf7f40e60c3550bd8233e7_125000 HTTP/1.1" 200 None
2019-08-22 11:36:19,938 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:19,939 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:22,286 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=17b14e4beabf347dd49018247b74f648_126000 HTTP/1.1" 200 None
2019-08-22 11:36:22,513 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:22,516 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:24,854 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=767e337c1b3b9e1e4bf6281eb82d2433_127000 HTTP/1.1" 200 None
2019-08-22 11:36:25,070 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:25,072 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:27,411 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=a1283295e7d3d2bfae9aac1574e02758_128000 HTTP/1.1" 200 None
2019-08-22 11:36:28,610 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:28,611 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com

Thanks,
Subbu

0 Karma

Contributor

That app was just released version 2.0.0. Try to install this on a fresh heavy forwarder first before upgrading. While this app should upgrade just fine, I say a fresh machine in case you have other inputs. This new version has a ton of new features. So, test this out and then backup the older version first.

Here’s an easy way to test outside of Splunk:

https://developer.microsoft.com/en-us/graph/graph-explorer
• Sign in
• Paste your URL without the skiptoken
o https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
• Click Run Query

This output helped me find my permissions issue

But upgrade for sure to version 2.0.0

0 Karma

New Member

Hi Rick,

Here is the app details, Just now we upgraded the app as well, Still issue exists.

https://splunkbase.splunk.com/app/3757/

Thanks,
Subbu

0 Karma

SplunkTrust
SplunkTrust

Which add-on are you using to collect the Azure logs?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!