There are 2 issues
1) /var/log/o365beat is not created
even if manually created, there are no log files being created
the Azure AD data is not getting collected. it does not create the file. The same worked earlier
[root@ models]# systemctl status o365beat -l
● o365beat.service - Shipper for Office 365 logs from Management Activities API.
Loaded: loaded (/usr/lib/systemd/system/o365beat.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-08-26 12:19:11 AWST; 412ms ago
Docs: https://www.elastic.co/products/beats/o365beat
Main PID: 2687 (o365beat)
Memory: 5.6M
CGroup: /system.slice/o365beat.service
└─2687 /usr/share/o365beat/bin/o365beat -e -c /etc/o365beat/o365beat.yml -path.home /usr/share/o365beat -path.config /etc/o365beat -path.data /var/lib/o365beat -path.logs /var/log/o365beat
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO instance/beat.go:297 Setup Beat: o365beat; Version: 1.5.1
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO fileout/file.go:98 Initialized file output. path=/home/o365beat/o365.log max_size_bytes=10485760 max_backups=7 permissions=-rw-------
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO [publisher] pipeline/module.go:97 Beat name: crystaleye.lan
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO instance/beat.go:429 o365beat start running.
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:459 o365beat is running! Hit CTRL-C to stop it.
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:203 enabling subscriptions for configured content types: [Audit.AzureActiveDirectory Audit.Exchange Audit.SharePoint Audit.General]
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:164 getting content subscriptions
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:106 auth nil or expired, re-authenticating
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:133 authenticating via https://login.microsoftonline.com/tkqlm.onmicrosoft.com/oauth2/token?api-version=1.0[root@crystaleye models]# ls -l /home/o365beat/
total 0
There are 2 issues 1) /var/log/o365beat is not created even if manually created, there are no log files being created
[root@ models]# systemctl status o365beat -l ● o365beat.service - Shipper for Office 365 logs from Management Activities API. Loaded: loaded (/usr/lib/systemd/system/o365beat.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-08-26 12:19:11 AWST; 412ms ago Docs: https://www.elastic.co/products/beats/o365beat Main PID: 2687 (o365beat) Memory: 5.6M CGroup: /system.slice/o365beat.service └─2687 /usr/share/o365beat/bin/o365beat -e -c /etc/o365beat/o365beat.yml -path.home /usr/share/o365beat -path.config /etc/o365beat -path.data /var/lib/o365beat -path.logs /var/log/o365beat
Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO instance/beat.go:297 Setup Beat: o365beat; Version: 1.5.1 Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO fileout/file.go:98 Initialized file output. path=/home/o365beat/o365.log max_size_bytes=10485760 max_backups=7 permissions=-rw------- Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO [publisher] pipeline/module.go:97 Beat name: crystaleye.lan Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO instance/beat.go:429 o365beat start running. Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:459 o365beat is running! Hit CTRL-C to stop it. Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:203 enabling subscriptions for configured content types: [Audit.AzureActiveDirectory Audit.Exchange Audit.SharePoint Audit.General] Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:164 getting content subscriptions Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:106 auth nil or expired, re-authenticating Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:133 authenticating via https://login.microsoftonline.com/tkqlm.onmicrosoft.com/oauth2/token?api-version=1.0 [root@crystaleye models]# ls -l /home/o365beat/ total 0