404 Client Error: Not Found for url

[matthewroberson71]

I am trying to configure the Splunk Add on for Microsoft Azure (version 4.0.2 on a stand alone Heavy Forwarder running version 9.0.1 of splunk, os RHEL 7) and I'm seeing the error below in /opt/splunk/var/log/splunk/ta_ms_aad_MS_AAD_audit.log.

2022-09-14 11:41:41,871 ERROR pid=12784 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS-AAD/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 168, in collect_events response = azutils.get_items_batch_session(helper=helper, url=url, session=session) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 119, in get_items_batch_session raise e File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 115, in get_items_batch_session r.raise_for_status() File "/opt/splunk/etc/apps/TA-MS-AAD/lib/requests/models.py", line 1021, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://graph.microsoft.com/None/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2021-10-01T14:26:12.017133Z+and+activityDateTime+le+2022-09-14T16:34:41.623739Z

Is the url in the error message wrong? Seems like it should be:

https://graph.microsoft.com/**v1.0**/auditLogs/directoryAudits$orderby=activityDateTime&$filter=activityDateTime+gt+2021-10-01T14:26:12.017133Z+and+activityDateTime+le+2022-09-14T16:34:41.623739Z

[JasonConger]

Are you creating inputs via the UI or editing inputs.conf directly? The endpoint used (the part between graph.microsoft.com/ and /auditLogs comes from the endpoint parameter in inputs.conf

[MS_AAD_audit://aad_audit]
audit_sourcetype = azure:aad:audit
azure_app_account = test
endpoint = v1.0
environment = public
index = azure
interval = 86400
query_backoff_throttle = 420
query_window_size = 0
tenant_id = REDACTED

[matthewroberson71]

I'm creating inputs through the GUI. And it turned out to be an input for the commercial tenant ( not the government tenant ) that was throwing the error. I selected v1.0 in the gui for the input and the error went away.

Should the signin input for the government tenant work if we haven't created a subscription yet in the government tenant?

We have a python script that is able to connect and pull back signins, but the input we created in the app isn't working. To help with troubleshooting, I disabled all the inputs except the signins input for the government tenant. What I see in the logs every time the input is scheduled to check is:

2022-09-27 12:08:11,617 DEBUG pid=31970 tid=MainThread file=connectionpool.py:_make_request:465 | https://127.0.0.1:8089 "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/data/TA_MS_AAD_checkpointer/aad_signin_last_date_ADSignins_SPP_GCC HTTP/1.1" 404 140 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.615 -0500] "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/data/TA_MS_AAD_checkpointer/aad_signin_last_date_ADSignins_SPP_GCC HTTP/1.1" 404 140 "-" "curl" - - - 1ms 2022-09-27 12:08:11,614 DEBUG pid=31970 tid=MainThread file=binding.py:get:695 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS-AAD/storage/collections/data/TA_MS_AAD_checkpointer/aad_signin_last_date_ADSignins_SPP_GCC (body: {}) 2022-09-27 12:08:11,613 DEBUG pid=31970 tid=MainThread file=connectionpool.py:_make_request:465 | https://127.0.0.1:8089 "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/config/?count=-1&offset=0&search=TA_MS_AAD_checkpointer HTTP/1.1" 200 4505 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.611 -0500] "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/config/?count=-1&offset=0&search=TA_MS_AAD_checkpointer HTTP/1.1" 200 4505 "-" "curl" - - - 1ms 2022-09-27 12:08:11,610 DEBUG pid=31970 tid=MainThread file=binding.py:get:695 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS-AAD/storage/collections/config/ (body: {'count': -1, 'offset': 0, 'search': 'TA_MS_AAD_checkpointer'}) 2022-09-27 12:08:11,609 DEBUG pid=31970 tid=MainThread file=connectionpool.py:_make_request:465 | https://127.0.0.1:8089 "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/config/TA_MS_AAD_checkpointer HTTP/1.1" 200 5353 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.608 -0500] "GET /servicesNS/nobody/TA-MS-AAD/storage/collections/config/TA_MS_AAD_checkpointer HTTP/1.1" 200 5353 "-" "curl" - - - 1ms 2022-09-27 12:08:11,598 DEBUG pid=31970 tid=MainThread file=binding.py:get:695 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS-AAD/storage/collections/config/TA_MS_AAD_checkpointer (body: {}) 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.587 -0500] "GET /servicesNS/nobody/TA-MS-AAD/configs/conf-ta_ms_aad_settings/logging?output_mode=json HTTP/1.1" 200 1534 "-" "curl" - - - 1ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.553 -0500] "GET /servicesNS/nobody/TA-MS-AAD/configs/conf-ta_ms_aad_settings/_reload HTTP/1.1" 200 2025 "-" "curl" - - - 22ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.539 -0500] "GET /servicesNS/nobody/TA-MS-AAD/TA_MS_AAD_settings/logging?output_mode=json&count=0&--cred--=1 HTTP/1.1" 200 1071 "-" "curl" - - - 55ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.517 -0500] "GET /servicesNS/nobody/TA-MS-AAD/storage/passwords?count=-1&offset=0 HTTP/1.1" 200 41679 "-" "curl" - - - 2ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.504 -0500] "GET /servicesNS/nobody/TA-MS-AAD/configs/conf-ta_ms_aad_settings/proxy?output_mode=json HTTP/1.1" 200 1501 "-" "curl" - - - 1ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.470 -0500] "GET /servicesNS/nobody/TA-MS-AAD/configs/conf-ta_ms_aad_settings/_reload HTTP/1.1" 200 2025 "-" "curl" - - - 23ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.457 -0500] "GET /servicesNS/nobody/TA-MS-AAD/TA_MS_AAD_settings/proxy?output_mode=json&count=0&--cred--=1 HTTP/1.1" 200 1106 "-" "curl" - - - 70ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.404 -0500] "GET /servicesNS/nobody/TA-MS-AAD/data/inputs/MS_AAD_signins?output_mode=json&count=0 HTTP/1.1" 200 4606 "-" "curl" - - - 33ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.391 -0500] "GET /servicesNS/nobody/TA-MS-AAD/TA_MS_AAD_MS_AAD_signins?output_mode=json&count=0&--cred--=1 HTTP/1.1" 200 3872 "-" "curl" - - - 50ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.369 -0500] "GET /servicesNS/nobody/TA-MS-AAD/storage/passwords?count=-1&offset=0 HTTP/1.1" 200 41679 "-" "curl" - - - 2ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.356 -0500] "GET /servicesNS/nobody/TA-MS-AAD/configs/conf-ta_ms_aad_account?output_mode=json&count=0 HTTP/1.1" 200 4096 "-" "curl" - - - 1ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.323 -0500] "GET /servicesNS/nobody/TA-MS-AAD/configs/conf-ta_ms_aad_account/_reload HTTP/1.1" 200 2020 "-" "curl" - - - 21ms 127.0.0.1 - splunk-system-user [27/Sep/2022:12:08:11.310 -0500] "GET /servicesNS/nobody/TA-MS-AAD/TA_MS_AAD_account?output_mode=json&count=0&--cred--=1 HTTP/1.1" 200 3028 "-" "curl" - - - 68ms