All Apps and Add-ons

Which firewall ports are required for the Splunk Add-on for Microsoft Cloud Services?

AbelCruz
Path Finder

In a Splunk prem environment, which ports do we need to open in the firewall to allow the SharePoint logs to be collected by an internal Heavy Forwarder?

0 Karma

jp_elizabeth
Explorer

I'm assuming you're using the O365 Management API which will be using HTTPS. Though recommend that you use a proxy instead.

0 Karma

AbelCruz
Path Finder

Thank you so much for your response. Yes we are using the O365 Management API through the Splunk Add-On for Microsoft Cloud Services. We follow all the configuration steps. Currently have no errors in the Add-on's o365 Troubleshooting tab and Auditing is enabled in the SharePoint management console. We are not receiving any traffic from SharePoint. Any suggestions? Any steps that we might be missing?

0 Karma

jp_elizabeth
Explorer

are you getting any error messages in your log files for the add-on? have a look in your splunk_ta_microsoft-cloudservices_account_monitoring and splunk_ta_microsoft-cloudservices_management

0 Karma

AbelCruz
Path Finder

Where in the folders would the logs be? This is what we have so far:

alert_logevent
appsbrowser
gettingstarted
launcher

legacy

search

SplunkForwarder

splunk_instrumentation

splunk_monitoring_console

user-prefs
alert_webhook

framework

introspection_generator_addon

learned

sample_app

splunk_archiver

splunk_httpinput

SplunkLightForwarder

Splunk_TA_microsoft-cloudservices

0 Karma

jconger
Splunk Employee
Splunk Employee

You can use Splunk to search the logs that Splunk logs about itself. This search should help with the Microsoft Cloud Services Add-on:

index=_internal source=*microsoft-cloud* error
0 Karma

AbelCruz
Path Finder
2018-03-27 18:25:27,745 +0000 log_level=INFO, pid=2014, tid=MainThread, file=o365_refresh_token.py, func_name=set_up_env, code_line_no=120 | No account is available for refreshing
host =  ABCDEF01 source =   /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_account_monitoring.log sourcetype =    ms:o365:jobinsight:account

Continuos events:

3/27/18
2:25:59.090 PM  
2018-03-27 18:25:59,090 +0000 log_level=INFO, pid=5259, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=200 | End Microsoft Cloudservices Azure Audit task
host =  ABCDEF01 source =   /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_azure_audit.log sourcetype =   mscs:azure:audit:log
3/27/18
2:25:59.089 PM  
2018-03-27 18:25:59,089 +0000 log_level=INFO, pid=5259, tid=MainThread, file=ta_config.py, func_name=_generate_task_configs, code_line_no=89 | Totally generated 0 task configs
host =  ABCDEF01 source =   /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_azure_audit.log sourcetype =   mscs:azure:audit:log

When I look at the inputs (settings/data inputs) they show none for the app. When try to add one it shows this error:

Encountered the following error while trying to save: Splunkd daemon is not responding: ("Error connecting to /servicesNS/admin/Splunk_TA_microsoft-cloudservices/data/inputs/ms_o365_management: ('The read operation timed out',)",)
0 Karma

jconger
Splunk Employee
Splunk Employee

Also, run an audit log search from protection.office.com to make sure there is data there for Splunk to collect.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...