All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Getting errors when upgrading to Microsoft Azure Add-on version 2.1: "No logs ERROR401 Client Error", "ERROR ExecProcessor".

njytrde
Explorer
‎04-28-2020 01:15 PM

Hello all,

I recently upgraded the Microsoft Azure Add-on TA to version 2.1. Not only did it break the configuration, but there are also some added permissions that need to be applied on the Azure portal side. I worked with someone on our Windows AD team who has the necessary access but he did not see what is referenced below in the details of the Add-on.

https://splunkbase.splunk.com/app/3757/

Microsoft Azure Active Directory Sign-ins Microsoft Graph Read all audit log data
Windows Azure Active Directory "(Application) Read directory data

(Delegated) Read directory data"
Microsoft Azure Active Directory Users Microsoft Graph Read all audit log data
Windows Azure Active Directory "(Application) Read directory data

(Delegated) Read directory data"
Microsoft Azure Active Directory Audit Microsoft Graph Read all audit log data
Windows Azure Active Directory "(Application) Read directory data

(Delegated) Read directory data"

These are the errors in the internal logs. Any ideas?

04-28-2020 15:58:03.014 -0400 

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" 

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?

$orderby=activityDateTime&$filter=activityDateTime+gt+2020-04-21T15:58:02.316173Z+and+activityDateTime+le+2020-04-28T19:51:02.559995Z
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mwyman_splunk
Splunk Employee
Splunk Employee
‎05-01-2020 12:10 PM

I'm curious why it has "beta" instead of an api version, like v1.0, in the url that is returned in the error:

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mwyman_splunk
Splunk Employee
Splunk Employee
‎05-01-2020 12:10 PM

I'm curious why it has "beta" instead of an api version, like v1.0, in the url that is returned in the error:

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/

0 Karma
Reply
Solved! Jump to solution

njytrde
Explorer
‎05-04-2020 10:56 AM

So it turns out, the problem was, when I updated the TA version to 2.1 for Microsoft Azure Add-on for Splunk, the API permissions changed.

Once Directory.Read.All and AuditLog.Read.All was added for the application and delegation for the microsoft graph, the logs started ingesting normally again.

0 Karma
Reply
Solved! Jump to solution

mwyman_splunk
Splunk Employee
Splunk Employee
‎05-01-2020 12:10 PM

I'm curious why it has "beta" instead of an api version, like v1.0, in the url that is returned in the error:

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/be

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...