All Apps and Add-ons

Why did the O365 Message Trace Stopped Working in version 1.1.0?

jcleary47
Path Finder

We received our last event for O365 Message Logs on: 4/25/19 8:38:59.951 AM

Initially, I thought it would be fixed by updating the password for the O365 account we use for the logs, as it had expired and we were getting ERROR's in the _internal logs due to account being unauthorized.

Updating the password fixed that issue, but now I'm still not getting any new data in. I updated the start data/time when I updated the password to 2019-04-25T08:38:59 which is right around when the input stopped working due to expired password.

These are the input settings:
Interval: 300
Query Window Size: 300
Delay throttle: 5
Start date/time: 2019-04-25T08:38:59

This is what I'm seeing in _internal for ERROR messages:

04-30-2019 14:59:08.568 -0400 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunk_aoblib/rest_migration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/handler.py", line 118, in wrapper\n raise RestError(exc.status, exc.message)\nRestError: REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\n

Also seeing a bunch along these lines, referring to ms_o365_message_trace.py

04-30-2019 14:56:48.069 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\". See splunkd.log for more details."}]}

I just don't get it, because I also see some messages in _internal that makes it seem like something is working:

2019-04-30 15:07:57,357 level=INFO pid=107482 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=management_activity.py:_ingest_content_blob:169 | start_time=1556651138 datainput="Exchange" | message="Ingesting content success." count=24 size=38905 content_id="20190430150510990154775$20190430150514044043997$audit_exchange$Audit_Exchange$na0012"

0 Karma

muralikoppula
Communicator

@jcleary47 Check Splunk internal ssl certificate expiration on enterprise server. If it is expired the add-on didn't collect any data from Office 365.

User below command:

$SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem

0 Karma

jcleary47
Path Finder

The output of this command is:

notAfter=Oct 25 20:48:22 2021 GMT

The issue fixed itself from when I first posted this, but I'm getting Error 400 now. I have a separate thread for the issue. If you have any ideas please post there.

Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...