TypeError: string indices must be integers

[flotpg]

Hi,

I'm trying to get your nice solution running but it fails on start.

ENV: Ubuntu 20.04

./Linux/LINUX-OfficeAuditLogCollector-V1.3 AAD-Tenant-ID AAD-App-ID AAD-App-SecretKey --config ./fullConfig.yaml

Starting run @ 2022-04-27 16:03:17.386048. Content: ['Audit.General', 'Audit.AzureActiveDirectory', 'Audit.Exchange', 'Audit.SharePoint', 'DLP.All'].
Traceback (most recent call last):
  File "AuditLogCollector.py", line 740, in <module>
  File "AuditLogCollector.py", line 299, in run_once
  File "AuditLogCollector.py", line 279, in _prepare_to_run
  File "AuditLogCollector.py", line 383, in _auto_subscribe
TypeError: string indices must be integers
[118569] Failed to execute script 'AuditLogCollector' due to unhandled exception!

fullConfig.yaml:

log:  # Log settings. Debug will severely decrease performance
  path: 'collector.log'
  debug: False
collect:  # Settings determining which audit logs to collect and how to do it
  contentTypes:
    Audit.General: True
    Audit.AzureActiveDirectory: True
    Audit.Exchange: True
    Audit.SharePoint: True
    DLP.All: True
  maxThreads: 50
  retries: 3  # Times to retry retrieving a content blob if it fails
  retryCooldown: 3  # Seconds to wait before retrying retrieving a content blob
  autoSubscribe: True  # Automatically subscribe to collected content types. Never unsubscribes from anything.
  skipKnownLogs: True  # Remember retrieved log ID's, don't collect them twice
  resume: True  # Remember last run time, resume collecting from there next run
  hoursToCollect: 24  # Look back this many hours for audit logs (can be overwritten by resume)
filter:  # Only logs that match ALL filters for a content type are collected. Leave empty to collect all
  Audit.General:
  Audit.AzureActiveDirectory:
  Audit.Exchange:
  Audit.SharePoint:
  DLP.All:
output:
  file:  # CSV output
    enabled: False
    separateByContentType: True  # Creates a separate CSV file for each content type, appends content name to path
    path: 'output'
    separator: ';'
    cacheSize: 500000  # Amount of logs to cache until each CSV commit, larger=faster but eats more memory
  azureLogAnalytics:
    enabled: False
    workspaceId:
    sharedKey:
  azureTable:  # Provide connection string to executable at runtime with --table-string
    enabled: False
    tableName: AuditLogs  # Name of the table inside the storage account
  azureBlob:  # Write CSV to a blob container. Provide connection string to executable at runtime with --blob-string
    enabled: False
    containerName: AuditLogs  # Name of the container inside storage account
    blobName: AuditLog  # When separatedByContentType is true, this is used as file prefix and becomes e.g. AuditLog_AuditExchange.csv
    tempPath: './output'
    separateByContentType: True
    separator: ';'
    cacheSize: 500000  # Amount of logs to cache until each CSV commit, larger=faster but eats more memory
  sql:  # Provide connection string to executable at runtime with --sql-string
    enabled: False
    cacheSize: 500000  # Amount of logs to cache until each SQL commit, larger=faster but eats more memory
    chunkSize: 2000  # Amount of rows to write simultaneously to SQL, in most cases just set it as high as your DB allows. COUNT errors = too high
  graylog:
    enabled: true
    address: 127.0.0.1
    port: 5555
  prtg:
    enabled: False
    channels:

[flotpg]

Looks like it has an issue with the app secret _XV8Q~D.Qia~kiyEzU1coJ4.YLRaZcJByhORgbn. Created another one with different characters and it works.

[ddbnl]

Good to know that fixed it. Still odd that there's an issue with it since it app secret is url parsed. Another possibility would be the shell messing it up, so for future people with this issue it might be worth trying quoting the string in the shell to explicitly make it a string.

I will add some logic to better check the result of 'get_subscriber_status' to at least present a better error.

[ddbnl]

Added explicit check for this issue, so if it happens again a clearer error should be displayed. Closing the issue.