Splunk® Supported Add-ons

Splunk Add-on for Microsoft Office 365

Download manual as PDF

Download topic as PDF

Troubleshooting the Splunk Add-on for Microsoft Office 365

General troubleshooting

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Cannot ingest data after configuring a new application and tenant

The Splunk Add-on for Microsoft Office 365 requires Application and Delegated permissions to read the service health, activity data, and DLP policy events. Make sure these permissions are selected, saved and then granted within the Office 365 Management Activity API configuration on Azure Active Directory.

  1. Navigate to the Enable Access pane in the Microsoft Azure Active Directory application configuration UI
  2. Set the following Application permissions and Delegated permissions.
    • Read service health information for your organization
    • Read activity data for your organization
    • (Optional) Read DLP policy events including detected sensitive data

      Accessing DLP policy events requires an additional Microsoft Azure Active Directory subscription. If you are unable to ingest DLP policy events, make sure you have the correct Microsoft Azure Active Directory subscription. Refer to the Microsoft Azure Active Directory documentation for more information.

  3. Click Save after you change permissions.
  4. Click Grant permissions to finish applying the permission changes.

Data collection stops working - HTTP errors

The Client Secrets in Microsoft Azure can rotate on a predefined schedule according to your organization's security requirements. If the secret is not updated in the Splunk Add-on for Microsoft Office 365, data collection will stop. You may see HTTP Error 401 - Unauthorized or HTTP Error 500 - Internal Server Error in the logs.

  1. Go to the Splunk Web home screen.
  2. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
  3. Click on the Tenant tab.
  4. Select the Tenant that needs an updated Client Secret and click Edit.
  5. Select Change and update the Client Secret.
  6. Click Update to save the changes.

Audit events are delayed or missing

As the number of events increases, the Splunk Add-on for Microsoft Office 365 may not be able return all events in one query before the next query executes, and events from the previous query may be delayed or even missed. One root cause for this can be the number of threads that available and used to collect the necessary data sets. If events are being queued, you can increase the number of threads in increments of 4 until all events are returned in one query.

  1. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
  2. Add the following stanza to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.
    [splunk_ta_o365_management_activity]
    interval = 300
    disabled = 0
    sourcetype = o365:management:activity
    number_of_threads = 4
    
  3. Increase the number of threads in increments of 4. The maximum number of threads is 64.
  4. Restart Splunk.
  5. Test to see if all events are being returned:

    index=_internal sourcetype="splunk:ta:o365:log" message="Ingesting content success." | eval content_time = strptime(content_id, "%Y%m%d%H%M%S") | chart count by content_time span=600

    You can add a filter on the data_input field to narrow down the search for a particular data input:

    index=_internal sourcetype="splunk:ta:o365:log" message="Ingesting content success." data_input=my_test_input | eval content_time = strptime(content_id, "%Y%m%d%H%M%S") | chart count by content_time span=600

    Change my_test_input to the data input name you would like to check.

You could also deploy the Splunk Add-on for Microsoft Office 365 as a tuned standalone add-on to capture Microsoft Azure Active Directory audit events separately from Service Events and Service Messages.

Data ingestion stops on Debian or Ubuntu Linux Server

Splunk Enterprise launches modular inputs under a shell process on Debian or Ubuntu Linux Server and this can block new modular input instances. If you are running the add-on with Debian or Ubuntu Linux Server, set the option start_by_shell = false in each stanza of inputs.conf.

  1. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
  2. Add the folowing stanzas to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file:
    [splunk_ta_o365_management_activity]
    interval = 300
    disabled = 0
    sourcetype = o365:management:activity
    number_of_threads = 4
    start_by_shell = false
    
    [splunk_ta_o365_service_status]
    interval = 1800
    disabled = 0
    sourcetype = o365:service:status
    start_by_shell = false
    
    [splunk_ta_o365_service_message]
    interval = 600
    disabled = 0
    sourcetype = o365:service:message
    start_by_shell = false
    
  3. Restart Splunk.

Data collection hangs while calling the Office 365 management API

While calling the Office 365 management API, you receive the following error message in your logs.

ReadTimeout: HTTPSConnectionPool(host='manage.office.com', port=443): Read timed out. (read timeout=60)

The modular input is hung during data collection. Configure the request_timeout parameter in inputs.conf.

Data ingestion stops for management activity

If data collection for the management activity input stops, and you receive the following message in your error logs.

message="failed to get error code" body="{\"Message\":\"Authorization has been denied for this request.\"}"

Configure token_refresh_window parameter in inputs.conf.

Data duplication issues when fetching multiple content URLs

The o365:management:activity input fetches the list of content URLs. The input then, for each content URL, fetches the list of blob items. Those blob items are ingested as events.

If duplicate blob items are sent by an API in different content URLs, data duplication might take place.

To remove duplicates, the Splunk Add-on for Microsoft Office 365 will have to manage the complete list of events ingested. As new events are ingested, this has a direct impact on system bandwidth, and performance.

PREVIOUS
Configure optional settings for the Splunk Add-on for Microsoft Office 365
 

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Hello,

Thanks for bringing up this issue. The content in question has been removed.

Mglauser splunk, Splunker
May 16, 2019

The bottom two sections of this page talk about request_timeout and token_refresh_window parameters for inputs.conf of the add-on. However it looks like a piece of the text is missing as its not clear how these are defined. I looked in the app and the spec file makes no mention of these parameters either. ??

Pj
May 16, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters