Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA-MS-AAD Signin logs missing - help!

KendallW
Contributor
‎09-26-2024 05:57 PM

Hey gang, 

I'm using the Splunk Add on for Microsoft Azure to ingest AAD signin logs to Splunk under the azure:aad:signin sourcetype, however there seems to be a gap between the number of events visible in EntraID versus what is visible from Splunk. There are always slightly more events in EntraID. The gap seems to worsen the higher the volume of events becomes. See this table:

TimeSplunkEntra IDDifference
1st hour3265330540
2nd hour308548041719
3rd hour326463093045
4th hour227438411567
5th hour16592632973
6th hour216834421274
7th hour623689232687
8th hour227163590113185
9th hour6318610160238416
10th hour8860714550356896
11th hour6840714009571688
12th hour7686612442347557
13th hour6871712235553638
14th hour8131014488063570
15th hour5084914087690027
16th hour4297212404081068
17th hour336939179258099
18th hour136835040836725
19th hour139733869524722
20th hour121822964517463
21st hour97342418714453
22nd hour8037169358898
23rd hour5869119946125
24th hour563188373206
Total6883831385424697041
Percentage difference  50.31%

 

- This gap appears even when searching historical logs i.e. time slots over the last two weeks.
- The retention period of the index is 90 days, so the events should not have expired yet.
- There are no line breaking, event breaking, aggregation, timestamp, or other parsing errors for the sourcetype. - The gap is still present when searching over all time.
- The internal logs from the Splunk Add on for Microsoft Azure only show the following two error messages which don't seem relevant, and only appeared a few times over the last month or so:
"File "/opt/splunk/etc/apps/TA-MS-AAD/lib/splunklib/binding.py", line 1337, in request
raise HTTPError(response)
splunklib.binding.HTTPError: HTTP 503 Service Unavailable -- KV Store is in maintenance mode."
"File "/opt/splunk/etc/apps/TA-MS-AAD/lib/splunklib/modularinput/event.py", line 111, in write_to
stream.flush()
BrokenPipeError: [Errno 32] Broken pipe"

I have updated the polling interval of the Microsoft Entra ID Interactive Sign-ins input to 900 seconds, but still the issue persists.

What other explanation could there be for the gap?

 

Thanks,
K

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 04:26 AM
Hi
if/when this is Splunk supported TA then just create a support case.
I supposing that there is some issue to reading those events from EntraId. After it has tried to read it but for unknown reason it has failed with some, it will write check point (describe what it has read). Then it start with that check point on next round and miss some events which has incorrectly marked as read. Or something similar. Any how inform the creator of TA.
Reply

KendallW
Contributor
‎09-29-2024 04:59 PM

Hi @isoutamo thanks for your reply,

Unfortunately the TA is not supported by Splunk, and Splunk support told me as much when I raised a case with them and suggested I try the forum. 

I did find this post which seems to be a very similar issue, so we are going to try the solution there of using the Splunk Add-on for Microsoft Cloud Services (which IS Splunk supported!) to ingest the events with HEC via Event Hub. 

I will reply again with any updates

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...