Link to post: (Issue with Management activity Logs)
by Abdulkareem

https://community.splunk.com/t5/All-Apps-and-Add-ons/Issue-with-Management-activity-Logs/m-p/654348#...

Hi all, I have successfully integrated Office 365 with Splunk and am currently receiving logs from various sources, including message trace, defender, among others. However, I have noticed an absence of management activity logs in the data. Upon further investigation, I encountered an error message located at $splunkpath/var/log/splunk/splunk_ta_o365_management_activity_*.log. I would greatly appreciate any assistance or insights into resolving this issue.2023-08-15 12:57:44,362 level=INFO pid=3567796 tid=MainThread logger=splunksdc.collector pos=collector.py:run:267 | | message="Modular input started." 2023-08-15 12:57:44,384 level=INFO pid=3567796 tid=MainThread logger=splunk_ta_o365.common.settings pos=settings.py:load:36 | datainput=b'test' start_time=1692093464 | message="Load proxy settings success." enabled=False host=b'' port=b'' username=b'' 2023-08-15 12:57:45,011 level=INFO pid=3567796 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get_v2_token_by_psk:211 | datainput=b'test' start_time=1692093464 | message="Acquire access token success." expires_on=1692097064.011808 2023-08-15 12:57:45,715 level=ERROR pid=3567796 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:72 | datainput=b'test' start_time=1692093464 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 201, in run executor.run(adapter) File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/batch.py", line 54, in run for jobs in delegate.discover(): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 690, in discover session = self._get_session() File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 361, in _get_session self._enable_subscription(session) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 372, in _enable_subscription self._subscription.start(session) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 386, in start response = self._perform(session, "POST", "/subscriptions/start", params) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 419, in _perform return self._request(session, method, url, kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 453, in _request raise O365PortalError(response) splunk_ta_o365.common.portal.O365PortalError: 400:{"error":{"code":"StartSubscription [CorrId=23540c54-3a29-4142-af13-0ce9a78eb47c][TenantId=*******,ContentType=Audit.AzureActiveDirectory,ApplicationId=*******,PublisherId=*******][AppId","message":"9b7ccc6-ce29-48bf-9dec-12384684ee5c] failed. Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant ******* does not exist.\r\n at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetSubscriptionTableClientForTenantAsync>d__52.MoveNext() in d:\\dbs\\sh\\nibr\\0811_070645\\cmd\\e\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 2113\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetAPISubscriptionAsync>d__22.MoveNext() in d:\\dbs\\sh\\nibr\\0811_070645\\cmd\\e\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 549\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Office.Compliance.Audit.API.StartController.<StartSubscription>d__0.MoveNext() in d:\\dbs\\sh\\nibr\\0811_070645\\cmd\\19\\sources\\dev\\auditing\\src\\auditapiservice\\apifrontendservicerole\\Controllers\\StartController.cs:line 76"}} 2023-08-15 12:57:45,719 level=INFO pid=3567796 tid=MainThread logger=splunksdc.collector pos=collector.py:run:270 | | message="Modular input exited."  

This message has 0 replies