All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ingesting logs from Microsoft Teams

Steven33
Engager
‎01-09-2024 05:36 PM

Hi All,
I recently installed/configured the "Microsoft Teams Add-on for splunk" to ingest call logs and meeting info from Microsoft Teams. I have run into an isuue I was hoping someone could help with me.


[What I would like to do]
Ingesting call logs and meeting info from Microsoft Teams via "Microsoft Teams Add-on for splunk".


[What I did]
I have followed the instructions and configured the "Subscription", "User Reports", "Call Reports" and "Webhook".
Instructions:https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-microsoft-teams-data.html


[issue]"User Reports" and "Webhooks" has worked, but "Subscription" and " Call reports" has not worked. As a results, Teams logs are not ingested. I have granted all of the required permissions in Teams/Azure based on the instructions.


[error logs]
I checked the internal logs and detected many error logs, but reading the errors did not reveal a clear cause.
Among the logged problems indicated were the following:
From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#TA_MS_Teams#configs/conf-ta_ms_teams_settings, user=proxy.
message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/teams_subscription.py" 400 Client Error: Bad Request for url: https://graph.microsoft.com/v1.0/subscriptions
message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/teams_subscription.py" requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/v1.0/subscriptions


[environment]
Add-On Version: 1.1.3
Splunk Enterprise Verison: 9.1.2
Add-On is installed on a Splunk Enterprise.
Is the error in the error log due to the call log and subscriptions not working properly? Or does the webhook URL have to be https to work properly?
If anyone knows the reason, let me know.
Any help would be greatly appreciated.
Thanks,

Labels (3)
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎01-22-2024 02:16 PM

The "Bad request for url..." verbiage typically points to an invalid webhook address.  Make sure the URL of the webhook is publically accessible, is addressable with HTTPS, and doesn't contain any private certificates in the chain.  This Lantern article (with a video walkthrough) may be helpful => https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_the_Microsoft_Teams_Add-o...

 

As, an alternative, you can use Azure Functions to get the same call record data.  This way, you don't have to have the webhook on your forwarder.  Instead, all the plumbing happens in Azure and the data is pushed to Splunk via HEC.  Here is a Lantern article on that => https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Teams_call_reco...

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...