All Apps and Add-ons
Highlighted

Microsoft Azure Active Directory Add-on for Splunk not ingesting audit logs, only Sign-Ins and Users.

Explorer

Hello everyone,

I am facing this issue where for some reason audit logs are not being ingested into Splunk. The app lives on a Heavy Forwarder.

Both Sign-In and Audit logs are set and have the same credentials. I triple-checked their input configurations and all seems correct. Sign-in logs are now being ingested as expected, unlike the audit logs.

They are all configured with a 300 second interval and with the default range for old logs. The errors I see are:

"python /opt/splunk/etc/apps/TA-MS-AAD/bin/MSAADaudit.py" HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activit...

I was seeing some 429, which I found out had to do with API throttling but now that I have it set to 300 seconds I don't seem to be getting those anymore:

-0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MSAADsignins.py" HTTPError: 429 Client Error: for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

Have any of you experienced something similar with this app? I am super stuck and have no idea what is going on...

I would appreciate any help! 😉

Thanks,
Yan

0 Karma
Highlighted

Re: Microsoft Azure Active Directory Add-on for Splunk not ingesting audit logs, only Sign-Ins and Users.

New Member

Configure signinsand Audit logs on different HWF's.

Thanks,
Subbu

0 Karma
Highlighted

Re: Microsoft Azure Active Directory Add-on for Splunk not ingesting audit logs, only Sign-Ins and Users.

Explorer

Hey, thanks for the answer! However, I don't believe that should be the solution. Any HF should work the same, moreover, I don't have another one. Any other ideas?

0 Karma