All Apps and Add-ons

Why did the O365 Message Trace Stopped Working in version 1.1.0?

jcleary47
Path Finder

We received our last event for O365 Message Logs on: 4/25/19 8:38:59.951 AM

Initially, I thought it would be fixed by updating the password for the O365 account we use for the logs, as it had expired and we were getting ERROR's in the _internal logs due to account being unauthorized.

Updating the password fixed that issue, but now I'm still not getting any new data in. I updated the start data/time when I updated the password to 2019-04-25T08:38:59 which is right around when the input stopped working due to expired password.

These are the input settings:
Interval: 300
Query Window Size: 300
Delay throttle: 5
Start date/time: 2019-04-25T08:38:59

This is what I'm seeing in _internal for ERROR messages:

04-30-2019 14:59:08.568 -0400 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunk_aoblib/rest_migration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/handler.py", line 118, in wrapper\n raise RestError(exc.status, exc.message)\nRestError: REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\n

Also seeing a bunch along these lines, referring to ms_o365_message_trace.py

04-30-2019 14:56:48.069 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\". See splunkd.log for more details."}]}

I just don't get it, because I also see some messages in _internal that makes it seem like something is working:

2019-04-30 15:07:57,357 level=INFO pid=107482 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=management_activity.py:_ingest_content_blob:169 | start_time=1556651138 datainput="Exchange" | message="Ingesting content success." count=24 size=38905 content_id="20190430150510990154775$20190430150514044043997$audit_exchange$Audit_Exchange$na0012"

0 Karma

muralikoppula
Communicator

@jcleary47 Check Splunk internal ssl certificate expiration on enterprise server. If it is expired the add-on didn't collect any data from Office 365.

User below command:

$SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem

0 Karma

jcleary47
Path Finder

The output of this command is:

notAfter=Oct 25 20:48:22 2021 GMT

The issue fixed itself from when I first posted this, but I'm getting Error 400 now. I have a separate thread for the issue. If you have any ideas please post there.

Thanks

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!