All Apps and Add-ons

Microsoft Azure Active Directory Add-on for Splunk not ingesting audit logs, only Sign-Ins and Users.

ylucena
Explorer

Hello everyone,

I am facing this issue where for some reason audit logs are not being ingested into Splunk. The app lives on a Heavy Forwarder.

Both Sign-In and Audit logs are set and have the same credentials. I triple-checked their input configurations and all seems correct. Sign-in logs are now being ingested as expected, unlike the audit logs.

They are all configured with a 300 second interval and with the default range for old logs. The errors I see are:

"python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activit...

I was seeing some 429, which I found out had to do with API throttling but now that I have it set to 300 seconds I don't seem to be getting those anymore:

-0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py" HTTPError: 429 Client Error: for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

Have any of you experienced something similar with this app? I am super stuck and have no idea what is going on...

I would appreciate any help! 😉

Thanks,
Yan

0 Karma

subbarayudu
New Member

Configure signinsand Audit logs on different HWF's.

Thanks,
Subbu

0 Karma

ylucena
Explorer

Hey, thanks for the answer! However, I don't believe that should be the solution. Any HF should work the same, moreover, I don't have another one. Any other ideas?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...