Closed kevinserafin closed 4 years ago
Started digging into it a little bit, i've verified that auditing is enabled.
[{"contentType":"Audit.AzureActiveDirectory","status":"enabled","webhook":null},{"contentType":"Audit.Exchange","status":"enabled","webhook":null},{"contentType":"Audit.General","status":"enabled","webhook":null},{"contentType":"Audit.SharePoint","status":"enabled","webhook":null}]
same issue happened to me with sharepoint, testing the others..
Same issue, tried pooling data from Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, no luck.
I was poking around the code last night (config.go) and found there are a few properties that can be set for api_timeout and content_max_age.
o365beat:
content_max_age: 120
This started working quickly once it wasn't trying to go back a week, we have a really busy tenant so i'm sure the volume was a bit much for it to pull. It would be good to document some of these settings in the sample config with a description of how to set them or what the interval is.
Thank you @kevinserafin for pointing this out, there are indeed a few parameters you can tweak that we didn't emphasize in the documentation. We've not run into this before, I appreciate the chance to update the docs with some some specifics. The idea that pulling a long span on a busy tenant could push you closer to a timeout makes sense, I'll do my best to capture that in an FAQ item and in the config discussion in the README. I'll let you know when it's updated, if you think it covers your issue we can close this. Thanks again!
Sounds good, this is a great tool - appreciate the work!
Hello, I'm attempting to use o365beat and I am able to get events from Audit.AzureActiveDirectory but any of the other three all fail with a client.timeout. Am I wrong to assume that the audit logging is turned on since I am able to retrieve AzureAD logs?