All Apps and Add-ons
Highlighted

Ingesting logs from Microsoft Teams

Builder

Hey All,

I recently installed/configured the Microsoft Teams Add-on in an attempt to ingest call logs and meeting info from Microsoft Teams.   I have run into an issue I was hoping someone could help with or shed some light on.

Add-On Version: 1.02

Splunk Version: 7.3.4

App is installed on a HF.

I have followed the instructions on the setup and have the Subscription, User Reports, Call Reports and Webhook all setup in the inputs section of the app. It appears though the only thing working is the User Reports. I have granted all of the required permissions in Teams\Azure  per the documentation.

The _internal logs don't give a whole lot of information indicating what the issue might be even with DEBUG logging enabled for the app.

The only thing I am seeing in the logs indicating an issue was this:

127.0.0.1 - splunk-system-user [30/Jun/2020:09:05:36.213 -0500] "GET /servicesNS/nobody/TA_MS_Teams/properties/TA_MS_Teams HTTP/1.1" 404 144 - - - 0ms

And this:

2020-06-30 09:25:43,189 ERROR pid=107176 tid=MainThread file=base_modinput.py:log_error:309 | Could not create subscription: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/subscriptions

The  documentation also mentions a webook which I am a little confused as to where that webhook resides. Is it in Teams itself or where the app is installed? It seems like the webook is in the app on the HF based on how the documentation reads?

Any help would be greatly appreciated.

Thanks,

Andrew

0 Karma
Highlighted

Re: Ingesting logs from Microsoft Teams

Engager

Having literally just gone through this, I'll try to help!  What was broken for me (and giving the same headache) sounds like exactly what you're seeing.

If you're getting user reports then your app is correct and the permissions are correct.  What is broken is your either your subscription, webhook, or CDR.  For me, it was the webhook/subscription because they both are interconnected.

First, the Webhook.  The webook has to live on the HF where the Add-on is installed.  The port you give it must be accessible from the public internet (because that's how teams works) and MUST be SSL.  Otherwise nothing will work.  Easiest way to test is to go to the public IP address (from something on the internet) and test https://<webhookName>:<portdefined> and you should get:

{"success": true}

My config looks like this:

 

2020-07-01_06-54-28.png

 

 

 

 

 

 

 

When I got my webhook URL (via https, hostname, port) I get a success.

Once that's done, you configure the Subscription to reference the correct webhook URL.

After that, data should start flowing.

 

Hope this helps, hit me up if you need more help with it!

View solution in original post

Tags (3)
Highlighted

Re: Ingesting logs from Microsoft Teams

Builder

Thanks for the super helpful information! Definitely puts me on the right path and kinda confirmed my suspicions.

So you used a cert from an external party and NAT'ed that hostname at your FW?

Tags (1)
0 Karma
Highlighted

Re: Ingesting logs from Microsoft Teams

Engager

Exactly!  Once I did that I have data not only in the Remote Work Insights app, but also in the M365 Teams section. 

Tags (3)
0 Karma
Highlighted

Re: Ingesting logs from Microsoft Teams

Builder

Great! Thanks for the helpful info!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.