All Apps and Add-ons

Is it possible to Splunk Microsoft Office 365 Exchange?

snrlopez
Engager

I'm playing around with the Splunk App for Microsoft Exchange app and it appears to only work on an internal network from what I've read. I've scoured this site and the web to see if there is a way to either put a forwarder within Office 365 or do a remote event log connection. No luck finding a solution so far. Any feedback would be greatly appreciated. Thanks!

Update: The Office 365 Exchange administration GUI is locked down to the extent that you can't get to a command line to install a forwarder. I opened a ticket with MS so we'll see. The remote event log option may be the only one but I get the following error when I click on "find logs". Still working it. Failed to fetch data: In handler 'win-wmi-enum-eventlogs': Unable to get wmi classes from host 'mydomain.onmicrosoft.com'. This host may not be reachable or WMI may be misconfigured.

julienjtpierre
Explorer

You should check this app out [Office 365 to Splunk import app1
We'll soon support Exchange reports, which are available today in the Office 365 Admin center, Reports section.

kellycocat
Explorer

Downloaded this app and have it running on a Windows machine. Is anyone else getting this error at runtime:

Unhandled exception:
Cannot print exception string because Exception.ToString() failed.

After getting this error, the app stops working, and I'm not able to see the data input option for O365.

Thanks in advance.

0 Karma

millern4
Communicator

Hello,

Just another question as to whether or not you ever got this working in Linux - preferably RHEL?

We are working on the same problem - trying to import data from Office 365 into Splunk, but our entire Splunk infrastructure is running on Linux.

Thanks!

0 Karma

wbfoxii
Communicator

No, I went the route of a Windows VM with a heavy forwarder. Path of least resistance.

0 Karma

millern4
Communicator

Understood 🙂 thanks for the information

0 Karma

wbfoxii
Communicator

It was actually pretty easy to get started once I had the proper account and a Windows HF. There's a trick to understanding how often the app makes its queries.

0 Karma

wbfoxii
Communicator

Definitely excited about this app. Installed it from the .tgz file on a 6.0.3 test server. I got these messages"

01-05-2015 08:17:06.648 -0500 ERROR ModularInputs - No script to handle scheme "o365ToSplunkDataImport" was found. This modular input will be disabled.
01-05-2015 08:17:06.648 -0500 ERROR ModularInputs - Unable to initialize modular input "o365ToSplunkDataImport" defined inside the app "o365ToSplunkDataImport": Unable to locate suitable script for introspection.

I don't see the Office 365 input in the local list.

0 Karma

julienjtpierre
Explorer

Just to confirm: Are you installing the app on a Windows or Linux box?

0 Karma

wbfoxii
Communicator

Linux - does it have to be a Windows Splunk server?

0 Karma

julienjtpierre
Explorer

Yes 😕
We never tried but it might work on Linux with Mono!?

0 Karma

wbfoxii
Communicator

So I could do this with a Windows VM running a heavy forwarder and then pump the records up to my main Linux indexers. That could work.

0 Karma

julienjtpierre
Explorer

Sounds like you have a plan. Hope the app can help you achieve you what you are looking for.

0 Karma

wbfoxii
Communicator

I tried to get the OneDrive for Business Activity report and I got this error:
Encountered the following error while trying to save: In handler 'o365ToSplunkDataImport': An error occured while validating your crendentials against report: SPOOneDriveForBusinessFileActivity

(spelling errors are as is from the app)

That account can get the other reports that I've tried. And it is a portal admin, if that's the correct terminology.

What could be wrong?

0 Karma

wbfoxii
Communicator

Say - I've got this working and it's pretty slick. However, the Windows Splunk server is not an indexer, so I'm forwarding the data to my real indexers. I'd like to choose a different index besides "default", "main", "summary" or "history". I looked at the XML file for the panel and I wonder if I can make my own drop-down list.

Also, I would like to get activity logs from SharePoint in the cloud. That doesn't look like an available report.

wbfoxii
Communicator

We have a powershell script executing that dumps records from the O365 messageTrace table into a local SQL DB. From there, we use DBConnect to index the records.

I didn't write the script so I don't know what is really going on there. There is a lot of data coming. We tried adding other data feeds, but are overrunning the capability of part of the infrastructure.

0 Karma

NewMilenium
Path Finder

Hello,
any news from anyone about this subject? Your Microsoft ticket maybe, snrlopez?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...