I'm playing around with the Splunk App for Microsoft Exchange app and it appears to only work on an internal network from what I've read. I've scoured this site and the web to see if there is a way to either put a forwarder within Office 365 or do a remote event log connection. No luck finding a solution so far. Any feedback would be greatly appreciated. Thanks!
Update: The Office 365 Exchange administration GUI is locked down to the extent that you can't get to a command line to install a forwarder. I opened a ticket with MS so we'll see. The remote event log option may be the only one but I get the following error when I click on "find logs". Still working it. Failed to fetch data: In handler 'win-wmi-enum-eventlogs': Unable to get wmi classes from host 'mydomain.onmicrosoft.com'. This host may not be reachable or WMI may be misconfigured.
Downloaded this app and have it running on a Windows machine. Is anyone else getting this error at runtime:
Cannot print exception string because Exception.ToString() failed.
After getting this error, the app stops working, and I'm not able to see the data input option for O365.
Thanks in advance.
Just another question as to whether or not you ever got this working in Linux - preferably RHEL?
We are working on the same problem - trying to import data from Office 365 into Splunk, but our entire Splunk infrastructure is running on Linux.
Definitely excited about this app. Installed it from the .tgz file on a 6.0.3 test server. I got these messages"
01-05-2015 08:17:06.648 -0500 ERROR ModularInputs - No script to handle scheme "o365ToSplunkDataImport" was found. This modular input will be disabled.
01-05-2015 08:17:06.648 -0500 ERROR ModularInputs - Unable to initialize modular input "o365ToSplunkDataImport" defined inside the app "o365ToSplunkDataImport": Unable to locate suitable script for introspection.
I don't see the Office 365 input in the local list.
I tried to get the OneDrive for Business Activity report and I got this error:
Encountered the following error while trying to save: In handler 'o365ToSplunkDataImport': An error occured while validating your crendentials against report: SPOOneDriveForBusinessFileActivity
(spelling errors are as is from the app)
That account can get the other reports that I've tried. And it is a portal admin, if that's the correct terminology.
What could be wrong?
Say - I've got this working and it's pretty slick. However, the Windows Splunk server is not an indexer, so I'm forwarding the data to my real indexers. I'd like to choose a different index besides "default", "main", "summary" or "history". I looked at the XML file for the panel and I wonder if I can make my own drop-down list.
Also, I would like to get activity logs from SharePoint in the cloud. That doesn't look like an available report.
We have a powershell script executing that dumps records from the O365 messageTrace table into a local SQL DB. From there, we use DBConnect to index the records.
I didn't write the script so I don't know what is really going on there. There is a lot of data coming. We tried adding other data feeds, but are overrunning the capability of part of the infrastructure.