All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Azure Siginin logs are not ingested

subbarayudu
New Member
‎08-22-2019 04:42 AM

Hi Team,

We are using version 1.1.0, From June3oth,noticed Azure_Signin logs are not being collected. Below is the ta log details. We even to deleted and re-added the configuration, Kindly assist.

2019-08-22 11:36:14,637 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:16,956 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=f5970c446f59894f9d72c2a3e2705175_124000 HTTP/1.1" 200 None
2019-08-22 11:36:17,170 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:17,172 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:19,719 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=92c340710daf7f40e60c3550bd8233e7_125000 HTTP/1.1" 200 None
2019-08-22 11:36:19,938 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:19,939 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:22,286 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=17b14e4beabf347dd49018247b74f648_126000 HTTP/1.1" 200 None
2019-08-22 11:36:22,513 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:22,516 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:24,854 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=767e337c1b3b9e1e4bf6281eb82d2433_127000 HTTP/1.1" 200 None
2019-08-22 11:36:25,070 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:25,072 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-08-22 11:36:27,411 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+2019-07-30T22%3a09%3a59.8512274Z&$skiptoken=a1283295e7d3d2bfae9aac1574e02758_128000 HTTP/1.1" 200 None
2019-08-22 11:36:28,610 DEBUG pid=7831 tid=MainThread file=base_modinput.py:log_debug:286 | Next URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-08-22 11:36:28,611 DEBUG pid=7831 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com

Thanks,
Subbu

0 Karma
Reply

jaxjohnny2000
Builder
‎10-11-2019 01:10 PM

That app was just released version 2.0.0. Try to install this on a fresh heavy forwarder first before upgrading. While this app should upgrade just fine, I say a fresh machine in case you have other inputs. This new version has a ton of new features. So, test this out and then backup the older version first.

Here’s an easy way to test outside of Splunk:

https://developer.microsoft.com/en-us/graph/graph-explorer
• Sign in
• Paste your URL without the skiptoken
o https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
• Click Run Query

This output helped me find my permissions issue

But upgrade for sure to version 2.0.0

0 Karma
Reply

subbarayudu
New Member
‎08-22-2019 10:48 AM

Hi Rick,

Here is the app details, Just now we upgraded the app as well, Still issue exists.

https://splunkbase.splunk.com/app/3757/

Thanks,
Subbu

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2019 06:11 AM

Which add-on are you using to collect the Azure logs?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...