Activity Feed
- Got Karma for How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023?. 04-26-2023 10:59 AM
- Got Karma for How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023?. 04-26-2023 06:04 AM
- Got Karma for How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023?. 04-17-2023 01:20 PM
- Got Karma for Re: Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023. 04-17-2023 06:31 AM
- Posted Re: Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023 on All Apps and Add-ons. 04-14-2023 03:18 PM
- Got Karma for How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023?. 04-12-2023 10:57 AM
- Got Karma for How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023?. 04-04-2023 07:05 AM
- Posted How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023? on All Apps and Add-ons. 04-04-2023 01:54 AM
- Tagged How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023? on All Apps and Add-ons. 04-04-2023 01:54 AM
- Tagged How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023? on All Apps and Add-ons. 04-04-2023 01:54 AM
- Tagged How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023? on All Apps and Add-ons. 04-04-2023 01:54 AM
- Tagged How can I fix Issues fetching Exchange Online message tracking logs (HTTP 401 Client Error) since 1.4.2023? on All Apps and Add-ons. 04-04-2023 01:54 AM
- Posted Re: The fillnull_value option in tstats command on Splunk Search. 08-31-2020 01:05 PM
- Posted Re: json gets truncated on Getting Data In. 01-01-2020 05:52 AM
- Posted Re: Forwarders list in monitoring console on Monitoring Splunk. 01-01-2020 05:43 AM
- Posted Plans to migrate from Azure Graph (graph.windows.net) to Microsoft Graph (graph.microsoft.com)? on All Apps and Add-ons. 09-06-2018 04:10 AM
- Tagged Plans to migrate from Azure Graph (graph.windows.net) to Microsoft Graph (graph.microsoft.com)? on All Apps and Add-ons. 09-06-2018 04:10 AM
- Posted Re: Does this app support fetching data via proxy? on All Apps and Add-ons. 04-06-2018 05:26 AM
- Posted Does this app support fetching data via proxy? on All Apps and Add-ons. 03-08-2018 12:44 AM
- Tagged Does this app support fetching data via proxy? on All Apps and Add-ons. 03-08-2018 12:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 5 | |||
| 0 | |||
| 0 |
04-14-2023
03:18 PM
1 Karma
Thank you all for your input on this issue. We managed to get it working again after a great deal of trial and error. We ended up creating a brand new service principal, and applying the same permissions again. We had to manually alter the manifest to be able to select "ReportingWebService.Read.All". Our working theory is that the service principal we have been using for years might be "outdated" in a way, as it started working instantly with a brand new service principal. We do not have any information from MS on this theory, as we were able to resolve the issue just before submitting a case to MS. Cheers, Rolf
... View more
04-04-2023
01:54 AM
5 Karma
Since the first of April we started receiving HTTP 401 Client Error in modular input logs from Splunk Add-on for Microsoft Office 365 Reporting Web Service (TA-MS_O365_Reporting version 2.0.1). We tried both OAuth authentication and basic authentication, but we still receive the same error.
I was able to replicate the same issue in another Splunk environment against another M365 tenant.
We also configured the addon Splunk Add-on for Microsoft Office 365 (splunk_ta_o365 version 4.2.1) to fetch these logs, but we still receive the HTTP 401.
We are pretty confident that the app registrations and permissions are set up correctly.
Both apps connects to the API endpoint https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace - do anyone know of any changes made to this endpoint from Microsoft?
Cheers,
Rolf
... View more
- Tags:
- Splunk Add-on for Microsoft Office 365
- Splunk Add-on for Microsoft Office 365 Reporting Web Service
- splunk_ta_o365
- TA-MS_O365_Reporting
Labels
- Labels:
-
troubleshooting
08-31-2020
01:05 PM
According to the docs this option to `tstats` were introduced in 8.0.0. I just recently discovered myself. 🙂 Cheers, Rolf
... View more
01-01-2020
05:52 AM
Could you try to do a | eval eventlenght = len(_raw) to see if Splunk truncates at the same position every time?
... View more
01-01-2020
05:43 AM
Hi there, how did you upgrade the UFs? If you remove the whole /opt/splunkforwarder and then installed 7.3.1.1, a new guid would have been generated.
The GUID (since 5.x) gets stored in
$SPLUNK_HOME/etc/instance.cfg , ref.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Instancecfgconf
Cheers,
Rolf
... View more
09-06-2018
04:10 AM
Is there any plans to change this add-on to fetch data from Microsoft Graph instead of from Azure AD Graph?
Microsoft Graph seems to be the way forward.
https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/
Cheers
Rolf
... View more
04-06-2018
05:26 AM
Thanks Jason, seems to work fine. We're running SSL-inspection on the proxies so I received the following, even tho the CA certificates are present in the OS cert store (RedHat 7.4):
2018-04-06 12:20:58,356 ERROR pid=8322 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 68, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 75, in collect_events
r = requests.get(url,proxies=proxies,headers=header)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
I did a bit of digging and changed the following in ta_ms_aad/modinput_wrapper/base_modinput.py to point to the correct CA store:
return self.rest_helper.send_http_request(url=url, method=method, parameters=parameters, payload=payload,
headers=headers, cookies=cookies, verify='/etc/pki/tls/certs/ca-bundle.crt', cert=cert,
timeout=timeout, proxy_uri=self._get_proxy_uri() if use_proxy else None)
... View more
03-08-2018
12:44 AM
I can not find any information on Splunkbase or in the .conf-files regarding support for using proxy for fetching data.
I notice there is a function "remove_http_proxy_env_vars" in the python code, so I assume if the environment variable http_proxy is set, it is specifically removed when fetching data?
def remove_http_proxy_env_vars():
for k in ("http_proxy", "https_proxy"):
if k in os.environ:
del os.environ[k]
elif k.upper() in os.environ:
del os.environ[k.upper()]
Is there a way around this? Is support for proxy in the works for the next version? We have strict rules, forcing us to use proxy when connecting to the Internet.
Cheers
Rolf
... View more
