Hi jconger, I have given the below required permission in Azure portal for Eventhub and for the Audit logs.
Azure side:
Home --> EventHubs --> Eventhubname --> shared access policies --> SAS Policy: RootManageSharedAccesskey --> claims --> Manage,send,Listen
Home --> Subscription --> Free Trial | Access control(IAM) --> Role assignments
Network Contributor, Reader, Security Admin, Security Reader
Splunk Side configuration details:
Eventhub(Preview) Inputs:
EventHub name: HXXXXXXXX
Connection String --> Endpoint=sb://Hxxxxxxx-01.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xxxxxxxxxxxxxxxxxxxxxxxxxx=
Metric(Preview)Inputs:
Azure App Account : Azure_Mon
Tenant ID:axxxx0c-f2xxx-47b8-9xxx3-75xxx708xxx4
Subscription ID: xxxxxc1a-xxxx-4ac1-8xxx4-f7fxxxxxxx90
Microsoft Azure Active Directory Audit:
Azure App Account : Azure_Mon
Tenant ID:axxxx0c-f2xxx-47b8-9xxx3-75xxx708xxx4
After configuring the above inputs and permission, still no luck i am seeing this below error in splunk internal logs
index="_internal" sourcetype="ta:ms:aad:log" connectionpool.py:_new_conn:758
2020-03-19 18:03:48,706 INFO pid=9135 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
index="_internal" sourcetype="ta:ms:aad:log" file="setup_util.py:log_info:114"
2020-03-19 18:49:49,320 INFO pid=29789 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
index="_internal" sourcetype="ta:ms:aad:log" file="setup_util.py:log_info:114 | Log level is not set"
2020-03-19 18:05:25,956 INFO pid=9953 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
index="_internal" sourcetype="ta:ms:aad:log" file="client_abstract.py:__init__:161"
2020-03-19 18:50:59,195 INFO pid=30328 tid=MainThread file=client_abstract.py:__init__:161 | u'eventhub.pysdk-07a5fdec': Created the Event Hub client
index="_internal" sourcetype="ta:ms:aad:log" file="splunk_rest_client.py:_request_handler:100"
2020-03-19 18:50:45,261 INFO pid=30224 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
index="_internal" sourcetype="ta:ms:aad:log" file="base_modinput.py:log_error:307"
2020-03-19 18:53:14,176 ERROR pid=31612 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 84, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 74, in collect_events
audit_events = azutils.get_items(helper, access_token, url, items=[])
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 33, in get_items
raise e
HTTPError: 401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-03-12T18:53:12.839458Z+and+activityDateTime+le+2020-03-19T18:46:13.997682Z
Kindly guide me how to fix this issue, we are finding it difficult to fix this issue.
... View more