After installing and configuring the Office 365 Module according to instructions here, I'm seeing a couple of issues.
After running successfully for (exactly) 1 hour, the o365beat process on the Windows 10 machine fails with an error like the following:
ERROR instance/beat.go:916 Exiting: error listing all available content between 2021-08-27 20:32:33 +0000 UTC and 2021-08-27 15:43:44.6768062 -0500 CDT m=+3600.127845301:
non-200 status during api request.
confirm audit log searching is enabled for the target tenancy
(https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off#turn-on-audit-log-search).
Message: "Authorization has been denied for this request."
There's more to the error log but that's the essential part. However, the Audit Log feature is definitely enabled, which can be seen by running "Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled" in the Exchange Powershell. I disabled and re-enabled it, I've restarted the computer, the service, etc., numerous times across several days and still get the same issue.
No data shows up in the dashboard which comes with this module. I can see in the logs that data is being transferred, but there is no sign of it in the Kibana dashboard.
Yes, but why after 1 hour? I finally resolved this auth issue by using the latest Filebeat download (Download Filebeat • Lightweight Log Analysis | Elastic), still not sure why it happened, but it's not a problem any more.
However, I'm still curious about the other issue, which is that absolutely no data shows up in the dashboard. "Module Status" shows that I'm correctly receiving data from the agent. Agent logs show that I'm connected just fine, but nothing appears in the dashboard, after days.
Everything is properly authorized on the client side, audit log is enabled, etc. What am I missing?
Are you sure the credentials that you're using for Filebeat are good and have the right permissions. Its the only thing that I can presume based off the initial log message that you posted.
I finally re-installed everything on the server side from scratch, and it's now working. While installing, I discovered that I had not done "filebeat setup" (on the server side) properly. At the least, logstash/filebeat were missing pipelines and probably other similar issues. I wish I could say exactly what was wrong, but at least it's working now. Thank you for your help, I really appreciate you being there.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.