All Apps and Add-ons

Which firewall ports are required for the Splunk Add-on for Microsoft Cloud Services?

Engager

In a Splunk prem environment, which ports do we need to open in the firewall to allow the SharePoint logs to be collected by an internal Heavy Forwarder?

0 Karma

Explorer

I'm assuming you're using the O365 Management API which will be using HTTPS. Though recommend that you use a proxy instead.

0 Karma

Engager

Thank you so much for your response. Yes we are using the O365 Management API through the Splunk Add-On for Microsoft Cloud Services. We follow all the configuration steps. Currently have no errors in the Add-on's o365 Troubleshooting tab and Auditing is enabled in the SharePoint management console. We are not receiving any traffic from SharePoint. Any suggestions? Any steps that we might be missing?

0 Karma

Explorer

are you getting any error messages in your log files for the add-on? have a look in your splunk_ta_microsoft-cloudservices_account_monitoring and splunk_ta_microsoft-cloudservices_management

0 Karma

Engager

Where in the folders would the logs be? This is what we have so far:

alert_logevent
appsbrowser
gettingstarted
launcher

legacy

search

SplunkForwarder

splunk_instrumentation

splunk_monitoring_console

user-prefs
alert_webhook

framework

introspection_generator_addon

learned

sample_app

splunk_archiver

splunk_httpinput

SplunkLightForwarder

Splunk_TA_microsoft-cloudservices

0 Karma

Splunk Employee
Splunk Employee

You can use Splunk to search the logs that Splunk logs about itself. This search should help with the Microsoft Cloud Services Add-on:

index=_internal source=*microsoft-cloud* error
0 Karma

Engager
2018-03-27 18:25:27,745 +0000 log_level=INFO, pid=2014, tid=MainThread, file=o365_refresh_token.py, func_name=set_up_env, code_line_no=120 | No account is available for refreshing
host =  ABCDEF01 source =   /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_account_monitoring.log sourcetype =    ms:o365:jobinsight:account

Continuos events:

3/27/18
2:25:59.090 PM  
2018-03-27 18:25:59,090 +0000 log_level=INFO, pid=5259, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=200 | End Microsoft Cloudservices Azure Audit task
host =  ABCDEF01 source =   /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_azure_audit.log sourcetype =   mscs:azure:audit:log
3/27/18
2:25:59.089 PM  
2018-03-27 18:25:59,089 +0000 log_level=INFO, pid=5259, tid=MainThread, file=ta_config.py, func_name=_generate_task_configs, code_line_no=89 | Totally generated 0 task configs
host =  ABCDEF01 source =   /opt/splunk/var/log/splunk/splunk_ta_microsoft-cloudservices_azure_audit.log sourcetype =   mscs:azure:audit:log

When I look at the inputs (settings/data inputs) they show none for the app. When try to add one it shows this error:

Encountered the following error while trying to save: Splunkd daemon is not responding: ("Error connecting to /servicesNS/admin/Splunk_TA_microsoft-cloudservices/data/inputs/ms_o365_management: ('The read operation timed out',)",)
0 Karma

Splunk Employee
Splunk Employee

Also, run an audit log search from protection.office.com to make sure there is data there for Splunk to collect.

0 Karma