Okay, after granting following 3 API Application permissions,
- AuditLog.Read.All
- Directory.Read.All
- User.Read.All
We are no longer seeing the original error message, HTTPError: 401 Client Error.
However, add-on is not returning any events. Do you know what are we missing?
2019-05-30 21:09:53,122 INFO pid=6852 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-05-30 21:09:54,399 INFO pid=6852 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-05-30 21:09:56,595 INFO pid=6852 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2019-05-30 21:09:56,596 DEBUG pid=6852 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS-AAD/storage/collections/config/TA_MS_AAD_checkpointer (body: {})
2019-05-30 21:09:56,597 INFO pid=6852 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-05-30 21:09:56,602 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/config/TA_MS_AAD_checkpointer HTTP/1.1" 200 5307
2019-05-30 21:09:56,603 DEBUG pid=6852 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.007515
2019-05-30 21:09:56,604 DEBUG pid=6852 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS-AAD/storage/collections/config/ (body: {'search': 'TA_MS_AAD_checkpointer', 'offset': 0, 'count': -1})
2019-05-30 21:09:56,608 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/config/?search=TA_MS_AAD_checkpointer&offset=0&count=-1 HTTP/1.1" 200 4505
2019-05-30 21:09:56,609 DEBUG pid=6852 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.005022
2019-05-30 21:09:56,611 DEBUG pid=6852 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS-AAD/storage/collections/data/TA_MS_AAD_checkpointer/FCC_Azure_AD_Audits_last_date (body: {})
2019-05-30 21:09:56,614 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/data/TA_MS_AAD_checkpointer/FCC_Azure_AD_Audits_last_date HTTP/1.1" 200 102
2019-05-30 21:09:56,615 DEBUG pid=6852 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003437
2019-05-30 21:09:56,621 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): login.microsoftonline.com
2019-05-30 21:09:56,839 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_make_request:400 | https://login.microsoftonline.com:443 "POST /bb320f37-44f0-4d6d-bd7e-1e5b79f0e15d/oauth2/v2.0/token HTTP/1.1" 200 1582
2019-05-30 21:09:56,843 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-05-30 21:09:56,942 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+ge+2019-05-30T04:00:00Z HTTP/1.1" 200 None
2019-05-30 21:09:56,944 DEBUG pid=6852 tid=MainThread file=base_modinput.py:log_debug:286 | **Total directory audit events returned: 0*
2019-05-30 21:09:56,944 DEBUG pid=6852 tid=MainThread file=binding.py:post:736 | POST request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS-AAD/storage/collections/data/TA_MS_AAD_checkpointer/batch_save (body: {'body': '[{"_key": "FCC_Azure_AD_Audits_last_date", "state": "\"2019-05-30T04:00:00Z\""}]'})
2019-05-30 21:09:56,953 DEBUG pid=6852 tid=MainThread file=connectionpool.py:_make_request:387 | "POST /servicesNS/nobody/TA-MS-AAD/storage/collections/data/TA_MS_AAD_checkpointer/batch_save HTTP/1.1" 200 35
2019-05-30 21:09:56,953 DEBUG pid=6852 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.008755*
... View more