search

ddbnl / office365-audit-log-collector

Collect / retrieve Office365, AzureAD and DLP audit logs and output to PRTG, Azure Log Analytics Workspace, SQL, Graylog, Fluentd, and/or file output.
https://ddbnl.github.io/office365-audit-log-collector/
MIT License
107 stars 40 forks source link

http 400 error #11

Closed LILTUD closed 2 years ago

LILTUD commented 5 years ago

Hi, i was wondering if you may be able to point me in the right direction, we have set up our Audit logs, and we have set up the app integration and granted it permission to the Office365 Management API, created a secret etc, and it seems to authenticate OK to login.microsoftonline.com:443, but then the next step seems to throw a http 400, from what i can seee we have set this up correctly. can anyone advise why we might be getting a 400? doesnt seem to matter which log type we pull:

(i've remved the actual values for our tenant on the command bellow:

python AuditLogCollector.py '7xxx' 'xxx 'xxx' --azure_ad -p 'TEST365LOGS' -g -gA 10.50.2.128 -gP 5566 -d -l /tmp/logs/debug.log

results from debug.log:

cat /tmp/logs/debug.log

INFO:root:Starting run @ 2019-08-21 07:15:20.942284 DEBUG:root:Getting available content for type: "Audit.AzureActiveDirectory" DEBUG:root:Making API request using URL: "https://manage.office.com/api/v1.0/7xxx/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&startTime=2019-08-20T20:15:20&endTime=2019-08-20T21:15:20&PublisherIdentifier=TEST365LOGS" DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): login.microsoftonline.com:443 DEBUG:urllib3.connectionpool:https://login.microsoftonline.com:443 "POST /7xxx/oauth2/token HTTP/1.1" 200 1492 DEBUG:root:Logged in DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): manage.office.com:443 DEBUG:urllib3.connectionpool:https://manage.office.com:443 "GET /api/v1.0/xxx/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&startTime=2019-08-20T20:15:20&endTime=2019-08-20T21:15:20&PublisherIdentifier=TEST365LOGS HTTP/1.1" 400 71 DEBUG:root:Got 1 content blobs of type: "Audit.AzureActiveDirectory"

any assistance would be great, thanks for your help

furiel commented 5 years ago

My guess is the problem is with the PublisherIdentifier. It should be the same as the tenant id in a single tenant scenario.

From: https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api

If you’re implementing a client for your company’s tenant, the PublisherIdentifier is the Tenant GUID. If you are creating an ISV application or add-in for multiple customers, the PublisherIdentifier should be the ISV’s Tenant GUID, and not the tenant GUID of end user’s company.

LILTUD commented 5 years ago

Hi, thanks for the fast response, i was thinking it would be related to the but I have tired PublisherIdentifier. with the tenant GUID and get the same issue, would there be any other items that i should consider? Thanks again for your assistance on this

furiel commented 5 years ago

Perhaps the subscriptions are not started. Did you start the subscriptions using AuditLogSubscriber script?

ddbnl commented 2 years ago

I've been away for a while, apologies for the very late reply.

Do you still require assistance @LILTUD ? I will leave the issue open a bit longer. I've added clearer steps for onboarding the audit logs (exact required API permissions, etc). They may help. Also make sure UnifiedAuditLogs are enabled.