search

ddbnl / office365-audit-log-collector

Collect / retrieve Office365, AzureAD and DLP audit logs and output to PRTG, Azure Log Analytics Workspace, SQL, Graylog, Fluentd, and/or file output.
https://ddbnl.github.io/office365-audit-log-collector/
MIT License
107 stars 40 forks source link

OfficeCollector Hangs and does not pull new logs #32

Closed Mnchstrcityblues79 closed 2 years ago

Mnchstrcityblues79 commented 2 years ago

Good afternoon. First and foremost, thank you for your hard work and for putting this together. It is truly amazing.

Unfortunately, after a month of working, I have encountered a problem. I use your OfficeAuditLogCollector to pull data/logs from Office365/Azure for use in Graylog. I followed the how-to you made for the Graylog community and it worked perfectly.

However, as of today, it no longer pulls data. If I run the application it will give me:

.Making API request using URL: "https://manage.office.com/api/v1.0/<redacted>/activity/feed/subscriptions/list"
Starting new HTTPS connection (1): login.microsoftonline.com:443
https://login.microsoftonline.com:443 "POST /<redacted>/oauth2/token HTTP/1.1" 200 1482
Logged in
Starting new HTTPS connection (1): manage.office.com:443
https://manage.office.com:443 "GET /api/v1.0/<redacted>/activity/feed/subscriptions/list HTTP/1.1" 200 342
Starting run @ 2022-07-05 17:43:06.895347. Content: deque(['Audit.General', 'Audit.AzureActiveDirectory', 'Audit.Exchange', 'Audit.SharePoint', 'DLP.All']).
Traceback (most recent call last):
  File "AuditLogCollector.py", line 712, in <module>
  File "AuditLogCollector.py", line 71, in run
  File "AuditLogCollector.py", line 84, in run_once
  File "AuditLogCollector.py", line 125, in receive_results_from_rust_engine
  File "AuditLogCollector.py", line 448, in _handle_retrieved_content
TypeError: string indices must be integers
[5436] Failed to execute script 'AuditLogCollector' due to unhandled exception!
thread '<unnamed>' panicked at 'called `Result::unwrap()` on an `Err` value: SendError { .. }', src/api_connection.rs:254:57
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Any suggestions?

Thank you!

Mnchstrcityblues79 commented 2 years ago

This appears to have resolved itself (because its nothing I did that I am aware of). If I find anything in the logs I will report back. Kind regards!

ddbnl commented 2 years ago

Good to know it's working again.

Based on the logs you posted I have an idea of what happened.

The program was unpacking a log, which at that point should have been a (JSON) dictionary. Instead it found a string. I think that perhaps Microsoft send an Error message of some sort. Perhaps they had an outage or maybe you were rate limited.

This is something that the program should handle better, so when I'm back from vacation I will release a new version that will try to catch this potential error and display it in the logs. Then if it happens again we will know for sure what happened. When that new version is released I will update you here.

Thanks for the kind words also.