All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services (multiple issues)

Betelgeuse
Engager

For some background, I originally installed the Cloud Services add-on with an enterprise trial license. I got busy with some other things and the license expired. So I've fallen back to the FREE license since I'm doing testing on my desktop.

In the interim, I noticed the UI in the Add-On to configure things no longer shows anything. Previously I could go to Configuration and in the account tab, define something. I see the latter, but there's no longer any UI element to add an account.

So I started following this document:

http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureaccount

I've checked and rechecked my work and when I go to the TROUBLESHOOTING area, all I ever see is "No certificate configured yet."

The only grey area for me was on the second part where it says:

[certificate]
private_key =

I've broken my key across multiple lines like so (this isn't part of my actual key):

private_key = DMDISBGYUKZIEDIIZMEMEK\
DKSKDKJZUAINJDFFOIUOIEAKDKDK\
DLSLZKIHROPTUNZLOITOOOIDODP\

In other words, I'm spanning the key private via "\". Not sure if I've inferred the setup documentation correctly.

Lastly, when I searched my _internal index ("index=_internal sourcetype=ms*"), I saw way too many Python errors associated with the Microsoft Cloud Services Add-On:

12:45:53.493 PM
2016-08-26 19:45:53,493 +0000 log_level=ERROR, pid=5476, tid=MainThread, file=config.py, func_name=log, code_line_no=50 | UCC Config Module: Fail to load endpoint "ucc_system_snapshot" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"\n In handler 'ta_o365_server_ucc_system_snapshot': External handler failed with code '1' and output: 'REST ERROR[403]: Unauthorized client for the requested action - capability=ta_o365_get_credential'. See splunkd.log for stderr output."}]}
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\ms_o365_ucc_server.py", line 13, in
modular_input.main(schema_file_path)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\ucc_server\ucc_server_modular_input.py", line 178, in main
exit_status = run(ucc_setting)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\ucc_server\ucc_server_modular_input.py", line 132, in run
ucc_server_id = ucc_config_loader.get_ucc_server_id(create_if_empty=False)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\ucc_server\ucc_server_config.py", line 52, in get_ucc_server_id
us_input = self.load_ucc_server_input()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\ucc_server\ucc_server_config.py", line 43, in load_ucc_server_input
self.ucc_server_input_cache = self.ucc_config.load()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\config.py", line 126, in load
log(msg, level=logging.ERROR, need_tb=True)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\config.py", line 48, in log
stack = ''.join(traceback.format_stack())

016-08-26 19:45:53,444 +0000 log_level=ERROR, pid=16944, tid=MainThread, file=config.py, func_name=log, code_line_no=50 | UCC Config Module: Fail to load endpoint "management_api_input_list" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"\n In handler 'ta_o365_server_management_api_inputs': External handler failed with code '1' and output: 'REST ERROR[403]: Unauthorized client for the requested action - capability=ta_o365_configuration'. See splunkd.log for stderr output."}]}
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\ms_o365_account_monitoring.py", line 286, in
main()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\ms_o365_account_monitoring.py", line 278, in main
run()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\ms_o365_account_monitoring.py", line 144, in run
conf_handler = oh.ConfigFileHandler(meta_configs, params.server_schema)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\o365_helper.py", line 417, in init
self._load_files()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\o365_helper.py", line 427, in _load_files
self._all_conf_content = self._conf.load()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\config.py", line 126, in load
log(msg, level=logging.ERROR, need_tb=True)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin\splunk_ta_microsoft_cloudservices\splunktaucclib\config.py", line 48, in log
stack = ''.join(traceback.format_stack())

0 Karma

clogssplunk
Explorer

Hi there,
It definitely looks like this particular add-on requires a valid Splunk Enterprise license in order to work.

I had the app installed on a Free license and got similar errors “ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/bin/runScript.py setup': BaseException: REST ERROR[403]: Unauthorized client for the requested action - capability=ta_o365_system_configuration”
From what I can gather the Add-On tries to make some REST calls that are not allowed on the free license. Just browsing to the REST endpoint came up with “not allowed” messages. I tried changing adding AllowRemoteLogin = always to server.conf, which seemed to clear some errors but not all.
I applied a trial Enterprise license and the app now works as it should.
I’m going to do some more digging to see if it’s possible to make the app work with the free license.
Mark

0 Karma

johnmarsnz
New Member

Hi, did you manage to get past the 403 error? Seeing the same thing here when trying to add the account in the app set up. Thanks John

"Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"\n In handler 'ta_o365_server_ucc_system_snapshot': External handler failed with code '1' and output: 'REST ERROR[403]: Unauthorized client for the requested action - capability=ta_o365_get_credential'. See splunkd.log for stderr output."}]}"

0 Karma

Bloodnite
Path Finder

I had our O365 admin use his Admin acct to auth in an incognito window after hitting add. It then has the admin prompt for the access the API/app needs, hit ok... splunk app then adds fine.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...