In a Splunk prem environment, which ports do we need to open in the firewall to allow the SharePoint logs to be collected by an internal Heavy Forwarder?
I'm assuming you're using the O365 Management API which will be using HTTPS. Though recommend that you use a proxy instead.
Thank you so much for your response. Yes we are using the O365 Management API through the Splunk Add-On for Microsoft Cloud Services. We follow all the configuration steps. Currently have no errors in the Add-on's o365 Troubleshooting tab and Auditing is enabled in the SharePoint management console. We are not receiving any traffic from SharePoint. Any suggestions? Any steps that we might be missing?
are you getting any error messages in your log files for the add-on? have a look in your splunk_ta_microsoft-cloudservices_account_monitoring and splunk_ta_microsoft-cloudservices_management
Where in the folders would the logs be? This is what we have so far:
alert_logevent
appsbrowser
gettingstarted
launcher
legacy
search
SplunkForwarder
splunk_instrumentation
splunk_monitoring_console
user-prefs
alert_webhook
framework
introspection_generator_addon
learned
sample_app
splunk_archiver
splunk_httpinput
SplunkLightForwarder
Splunk_TA_microsoft-cloudservices
You can use Splunk to search the logs that Splunk logs about itself. This search should help with the Microsoft Cloud Services Add-on:
index=_internal source=*microsoft-cloud* error
2018-03-27 18:25:27,745 +0000 log_level=INFO, pid=2014, tid=MainThread, file=o365_refresh_token.py, func_name=set_up_env, code_line_no=120 | No account is available for refreshing
host = ABCDEF01 source = /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_account_monitoring.log sourcetype = ms:o365:jobinsight:account
Continuos events:
3/27/18
2:25:59.090 PM
2018-03-27 18:25:59,090 +0000 log_level=INFO, pid=5259, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=200 | End Microsoft Cloudservices Azure Audit task
host = ABCDEF01 source = /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_azure_audit.log sourcetype = mscs:azure:audit:log
3/27/18
2:25:59.089 PM
2018-03-27 18:25:59,089 +0000 log_level=INFO, pid=5259, tid=MainThread, file=ta_config.py, func_name=_generate_task_configs, code_line_no=89 | Totally generated 0 task configs
host = ABCDEF01 source = /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_azure_audit.log sourcetype = mscs:azure:audit:log
When I look at the inputs (settings/data inputs) they show none for the app. When try to add one it shows this error:
Encountered the following error while trying to save: Splunkd daemon is not responding: ("Error connecting to /servicesNS/admin/Splunk_TA_microsoft-cloudservices/data/inputs/ms_o365_management: ('The read operation timed out',)",)
Also, run an audit log search from protection.office.com to make sure there is data there for Splunk to collect.