search

ddbnl / office365-audit-log-collector

Collect / retrieve Office365, AzureAD and DLP audit logs and output to PRTG, Azure Log Analytics Workspace, SQL, Graylog, Fluentd, and/or file output.
https://ddbnl.github.io/office365-audit-log-collector/
MIT License
105 stars 40 forks source link

How to run LINUX-OfficeAuditLogCollector-V2.0 #27

Closed ggriffinorg closed 2 years ago

ggriffinorg commented 2 years ago

Hi, I would like to thank you for the awesome work this project. I got the Windows version working without any issues and get the messages in Graylog. I would like to run the Linux version, but usage is not documented. Any chance you could help me out. TY in advanced for your feedback. BR GG

ddbnl commented 2 years ago

Heya,

Sure, no problem. In terms of command line options and config file everything is identical to the Windows version, so it's just a matter of OS syntax. Could I ask which distro of Linux you are running? If you haven't chosen yet, then Ubuntu (server) might be a good choice, since that's what the tool was developed and tested on.

To run it you can copy the config file you had on Windows to your Linux box. Then you can download the Linux executable. Then you can run it with the config to test it. If it's working, you can schedule it. Here is what that could look like from a Linux terminal (although there's many ways to do it):


- Step 2: prepare the config file (in Nano text editor for example):

nano config.yaml paste/write your config file CTRL + s CTRL + x


- Step 3: get the executable (this points to the latest release for now):

wget https://github.com/ddbnl/office365-audit-log-collector/releases/download/v2.0/LINUX-OfficeAuditLogCollector-V2.0 chmod +x LINUX-OfficeAuditLogCollector-V2.0


- Step 4: run it once to test (command will be the same as with Windows):

./LINUX-OfficeAuditLogCollector-V2.0 tenant_id client_id secret_key --config config.yaml


- Step 5: schedule it to run every hour for example:

crontab -e choose an editor if it asks you to, nano is the easiest to use at the end of the file write the line below 0 ~/audit-log-collector/LINUX-OfficeAuditLogCollector-V2.0 tenant_id client_id secret_key --config config.yaml CTRL + s CTRL + x



Now the collector will run at minute 0 of every hour.

Here is a screenshot of the folder containing the files:
![image](https://user-images.githubusercontent.com/40169436/170844358-e69657ed-1d5d-4992-8073-470cc6556558.png)

Here is a screenshot of the CRON schedule (crontab -e):
![image](https://user-images.githubusercontent.com/40169436/170844282-a4fd04f3-1985-44ff-b8c7-5a9927b5e593.png)

Let me know if this helped you, or if there's anything more I can do to help :)
ggriffinorg commented 2 years ago

Hi ddbnl, TY for the fast answer and tutorial. Just cool. I installed the Graylog Server on Ubuntu 20.04 LTS as it's easier for day to day usage when deployed in Production. I am going to test everything and give you a feedback. Once again TY for this awesome project as it's going to save me time to check customer's M365 Tenants Logs when they screw something up. Have a great and BR. GG

ggriffinorg commented 2 years ago

Hi ddbnl, All working. Just awesome. ;) Once again TY and have a great Sunday. BR GG

ddbnl commented 2 years ago

Awesome, thanks for the response.