@splunklabs Any feedback on this? Has anyone managed to get this working? I've played around with various settings, like providing Organization.Read.All, etc, with no luck. BTW, the confusion around error code is because _auth.log returns 403, but the other log returns 401 (see below). From ta_ms_o365_reporting_ms_o365_message_trace_oauth.log 2022-08-18 19:10:06,228 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2022-08-18 19:10:06,229 INFO pid=1745907 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling
2022-08-18 19:10:06,241 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:10:06,443 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:10:07,546 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z'
2022-08-18 19:10:07,547 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events
get_events_continuous(helper, ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous
message_response = get_messages(helper, microsoft_trace_url)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages
raise e
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages
r.raise_for_status()
File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z' From ta_ms_o365_reporting_ms_o365_message_trace.log 2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling
2022-08-18 19:06:22,692 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:06:27,816 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 401 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z'
2022-08-18 19:06:27,817 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 357, in collect_events
get_events_continuous(helper, ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 99, in get_events_continuous
message_response = get_messages(helper, microsoft_trace_url, global_microsoft_office_365_username, global_microsoft_office_365_password)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 74, in get_messages
raise e
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 68, in get_messages
r.raise_for_status()
File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z'
... View more