I am facing this issue where for some reason audit logs are not being ingested into Splunk. The app lives on a Heavy Forwarder.
Both Sign-In and Audit logs are set and have the same credentials. I triple-checked their input configurations and all seems correct. Sign-in logs are now being ingested as expected, unlike the audit logs.
They are all configured with a 300 second interval and with the default range for old logs. The errors I see are:
"python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activit...
I was seeing some 429, which I found out had to do with API throttling but now that I have it set to 300 seconds I don't seem to be getting those anymore:
-0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py" HTTPError: 429 Client Error: for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
Have any of you experienced something similar with this app? I am super stuck and have no idea what is going on...
I would appreciate any help! 😉