2019-01-03 15:24:28,935 DEBUG pid=12114 tid=MainThread file=base_modinput.py:log_debug:286 | Endpoint URL: https://.......orderby=activityDate&$filter=activityDate+gt+2018-12-01T00:00:00Z
2019-01-03 15:24:28,938 ERROR pid=12114 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 129, in collect_events
audit_events = get_audit_events(helper, access_token, url, max_records)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 90, in get_audit_events
header = {'Accept':'application/json', 'Authorization':'Bearer ' + access_token}
TypeError: cannot concatenate 'str' and 'ConnectionError' objects
I had the same thing going on, turns out I couldn't get a token:
(set logging to debug and add this to input_module_MS_AAD_audit.py, line 122): helper.log_debug("Token: %s" % str(access_token))
I added the same proxies = { } entry to get_access_token and updated the response (line 45) from: response = requests.post(endpoint, data=payload).json()
to: response = requests.post(endpoint,proxies=proxies,data=payload).json()
(Yes, I know this is kind of ugly to define the proxies twice but it's a quick and dirty fix. I didn't feel like totally overhauling this to add proxy support)