I am trying to collect data from Azure Graph, and CAS API using the Splunk Add-on for Microsoft Office 365 app. I tried this first on a windows server and got this error:
2022-02-03 11:34:12,218 level=INFO pid=7340 tid=MainThread logger=splunksdc.collector pos=collector.py:run:251 | | message="Modular input started." 2022-02-03 11:34:12,508 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.settings pos=settings.py:load:36 | datainput=b'testsignins' start_time=1643884452 | message="Load proxy settings success." enabled=False host=b'' port=b'' username=b'' 2022-02-03 11:34:12,802 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get_v2_token_by_psk:160 | datainput=b'testsignins' start_time=1643884452 | message="Acquire access token success." expires_on=1643888051.8024929 2022-02-03 11:34:13,806 level=DEBUG pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:102 | datainput=b'testsignins' start_time=1643884452 | message="Start Retrieving Graph Api Audit Messages." timestamp=1643884453.8066385 report=b'signIns' 2022-02-03 11:34:13,806 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:462 | datainput=b'testsignins' start_time=1643884452 | message="Calling Microsoft Graph API." url=b'https://graph.microsoft.com/v1.0/auditLogs/signIns' params=None 2022-02-03 11:34:21,628 level=ERROR pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:118 | datainput=b'testsignins' start_time=1643884452 | message="Error retrieving Cloud Application Security messages." exception=Invalid format string 2022-02-03 11:34:21,628 level=ERROR pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=utils.py:wrapper:72 | datainput=b'testsignins' start_time=1643884452 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunksdc\utils.py", line 70, in wrapper return func(*args, **kwargs) File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 235, in run return consumer.run() File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 114, in run self._ingest(message, source) File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 125, in _ingest expiration = int(message.update_time.strftime('%s')) ValueError: Invalid format string 2022-02-03 11:34:21,632 level=INFO pid=7340 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."
Authenication seems to be working but it looks like it returns an unexpected string value it can't handle. I tested the azure app and CAS token using powershell and no issues. So last ditch effort was to try on another server. This happend to be a Linux server. When i set the app up there everything worked without issues. This made me think that the Graph and CAS inputs does not work on Windows servers since this was the only difference. So i tested on an another windows server and got the same error. So I wondered if anyone else here has the same result as me, or has managed to get this running on a windows server? The app in splunk says it is platform independent, so it should run on windows to.
... View more