Elasticsearch fleet error

Good evening, I use elastic 7.17.5 and fleet 7.17, on Sunday after 18:00 notifications to Microsoft 365 integration stopped coming, or rather they do, but a strictly fixed amount in a period of time, the error is as follows:

field [o365audit] not present as part of path [o365audit.CreationTime]

I updated the integration to the latest version, can anyone tell me what can be done here?

1 Like

Having the same issue. Elastic version 8.3 but recently updated the Microsoft 365 integration to version 1.7.1. The integration appears to work on a version that was configured on a previous version of the integration and the upgraded, but a newly configured Microsoft 365 integration produces this same error me.

Hi all. I have the same issue. Elastic version 8.3.2 and Microsoft 365 integration version 1.7.1. I have tried a new integration on a different host and I get the same problem. I get the same error message as @alex_96.

An update - I used a legacy filebeat config which I used previously and I got the following error message (partial).

unable to acquire authentication token for tenant:XXXX: refreshing spt token: XXXX: Refresh request failed. Status Code = '401'. Response body:{"error":"invalid_client","error_description":"XXXX: The provided client secret keys for app 'XXXX' are expired. Visit the Azure portal to create new keys for your app

I have to speak to another team to get this resolved (they have confirmed it has expired - just need to get new credentials). Will update when and if fixed.

To confirm from my side, the issue was expired credentials. And renewing these and changing the appropriate field in the integration config resolved the issue. As an aside, there may be a way to do this with Elastic Agent and integrations but using a Filebeat and the O365 module with the relevant config, gave me a more specific error with detail needed to narrow this down.

Now if I can find a way to get an alert when the credentials are going to expire!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.