Hi, I was hoping someone can help point me in the right direction here.
I setup Filebeat and the o365 module. Everything was working fine for 8 days or so. And then for some reason, it stopped being able to connect to the Office 365 API.
I see this in the logs:
Jun 22 19:52:12 ip-10-1-2-112 filebeat[14356]: 2020-06-22T19:52:12.757Z WARN [o365audit] o365audit/contentblob.go:93 Got error 400 Bad Request: api error:AF20051 Content requested with the key 202.........615
Jun 22 19:52:23 ip-10-1-2-112 filebeat[14356]: 2020-06-22T19:52:23.688Z WARN [o365audit] o365audit/contentblob.go:93 Got error 400 Bad Request: api error:AF20051 Content requested with the key 202.........615
According to Microsoft, (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference) the Error code AF20051
AF20051: Content requested with the key {0} has already expired. Content older than 7 days cannot be retrieved.
I tried a full uninstall|purge / re-install of filebeat and I still get the same error.
I modified the o365 module config file and uncommented the max_retention: 168h
and that didn't help either.
Has anyone come across this issue? I know the module is still in beta, but I figured I would ask...
System details:
OS: Debian 9
Filebeat version: 7.8
Elastic cloud version: 7.7.1