search

ddbnl / office365-audit-log-collector

Collect / retrieve Office365, AzureAD and DLP audit logs and output to PRTG, Azure Log Analytics Workspace, SQL, Graylog, Fluentd, and/or file output.
https://ddbnl.github.io/office365-audit-log-collector/
MIT License
106 stars 40 forks source link

PermissionError: [Errno 13] Permission denied: 'known_logs' #50

Closed flotpg closed 8 months ago

flotpg commented 1 year ago

Hi,

since 2023-07-13 I don't get any logs... I was running LINUX-OfficeAuditLogCollector-V1.4.2 and updated to V2.1 but the issue persists. The user has write access to the log file by the way. This is my config:

log:  # Log settings. Debug will severely decrease performance
  path: '/var/log/office365-audit-log-collector.log'
  debug: True
collect:  # Settings determining which audit logs to collect and how to do it
  contentTypes:
    Audit.General: True
    Audit.AzureActiveDirectory: True
    Audit.Exchange: True
    Audit.SharePoint: True
    DLP.All: True
  maxThreads: 50
  retries: 3  # Times to retry retrieving a content blob if it fails
  retryCooldown: 3  # Seconds to wait before retrying retrieving a content blob
  autoSubscribe: True  # Automatically subscribe to collected content types. Never unsubscribes from anything.
  skipKnownLogs: True  # Remember retrieved log ID's, don't collect them twice
  resume: False  # Remember last run time, resume collecting from there next run
  hoursToCollect: 24 # Look back this many hours for audit logs (can be overwritten by resume)
filter:  # Only logs that match ALL filters for a content type are collected. Leave empty to collect all
  Audit.General:
  Audit.AzureActiveDirectory:
  Audit.Exchange:
  Audit.SharePoint:
  DLP.All:
output:
  graylog:
    enabled: true
    address: 127.0.0.1
    port: 5555

Compared to 1.4.2 the "debug: True" isn't not as chatty anymore.

Any hints appreciated. Many thanks and best regards, Flo.

flotpg commented 1 year ago

OK, I'm stupid.

PermissionError: [Errno 13] Permission denied: 'known_logs' is caused by running the command from a directory where I don't have permissions.

sudo -u graylog /home/graylog/office365-audit-log-collector/LINUX-OfficeAuditLogCollector-V1.4.2 ID ID SECRET --config /home/graylog/office365-audit-log-collector/fullConfig.yaml

Finished. Total logs retrieved: 33. Total logs with errors: 0. Run time: 0:00:29.921112.
GraylogInterface reports: 33 successfully sent, 0 errors

But nothing on the running input in Graylog.

ddbnl commented 8 months ago

Sorry for the late reply, due to my day job I was unable to work on the repo for a while.

Are you still requiring assistance with the latest issue? There is a more in depth graylog guide I write for their blog at some point, perhaps it can help: https://community.graylog.org/t/collecting-office365-azuread-audit-logs-using-office-audit-collector/23925. If not let me know and we can investigate.

ddbnl commented 8 months ago

Closing the issue; if you still require assistance, feel free to reply.