search

ddbnl / office365-audit-log-collector

Collect / retrieve Office365, AzureAD and DLP audit logs and output to PRTG, Azure Log Analytics Workspace, SQL, Graylog, Fluentd, and/or file output.
https://ddbnl.github.io/office365-audit-log-collector/
MIT License
105 stars 40 forks source link

Type error on run: error decoding response body: invalid type: map, expected a sequence at line 1 column 0 #73

Open helge000 opened 2 months ago

helge000 commented 2 months ago

I am getting this error on run: error decoding response body: invalid type: map, expected a sequence at line 1 column 0

# ./OfficeAuditLogCollector -V
office_audit_log_collector 2.5.0
# RUST_BACKTRACE=full ./OfficeAuditLogCollector --tenant-id ${MS_TENNANT_ID} --client-id ${MS_CLIENT_ID} --secret-key "${MS_SECRET_KEY}" --config config-csv.yaml 
[00:00:00.000] (7fb1a5265940) INFO   Initializing collector.
[00:00:00.000] (7fb1a5265940) INFO   Logging in to Office Management API.
[00:00:00.205] (7fb1a5265940) INFO   Successfully logged in to Office Management API.
[00:00:00.205] (7fb1a5265940) INFO   Subscribing to audit feeds.
[00:00:00.220] (7fb1a5265940) INFO   Getting current audit feed subscriptions.
[00:00:00.269] (7fb1a5265940) ERROR  Could not start collector: error decoding response body: invalid type: map, expected a sequence at line 1 column 0
thread 'main' panicked at src/main.rs:38:17:
Could not start collector: error decoding response body: invalid type: map, expected a sequence at line 1 column 0
stack backtrace:
   0:     0x55bcb13d50d6 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h9c4bd387f9f3f544
   1:     0x55bcb1402790 - core::fmt::write::h938c332fdab924eb
   2:     0x55bcb13d107f - std::io::Write::write_fmt::h4a694b02e44e6363
   3:     0x55bcb13d4eb4 - std::sys_common::backtrace::print::ha888e6736b0bc71f
   4:     0x55bcb13d6587 - std::panicking::default_hook::{{closure}}::he19a7f79f7beab5e
   5:     0x55bcb13d62e9 - std::panicking::default_hook::h67efe04e9a5d446e
   6:     0x55bcb13d6a18 - std::panicking::rust_panic_with_hook::h49021cdbc4b22349
   7:     0x55bcb13d68f2 - std::panicking::begin_panic_handler::{{closure}}::hfbf601f3d8c62d13
   8:     0x55bcb13d55d6 - std::sys_common::backtrace::__rust_end_short_backtrace::h98dd020b6e913806
   9:     0x55bcb13d6644 - rust_begin_unwind
  10:     0x55bcb10938f5 - core::panicking::panic_fmt::h0d3f1893e38be419
  11:     0x55bcb1175f35 - tokio::runtime::park::CachedParkThread::block_on::h6e8bc7ea2850705b
  12:     0x55bcb1100b45 - tokio::runtime::runtime::Runtime::block_on::h7deb878531a93cbf
  13:     0x55bcb1125e67 - office_audit_log_collector::main::h2a1d940d7769ef4f
  14:     0x55bcb10f5273 - std::sys_common::backtrace::__rust_begin_short_backtrace::h7a034c3a8d0153b0
  15:     0x55bcb115d309 - std::rt::lang_start::{{closure}}::ha8937cf3203a545b
  16:     0x55bcb13ca2d1 - std::rt::lang_start_internal::hc3f700406209db2c
  17:     0x55bcb1125f35 - main
  18:     0x7fb1a4a29590 - __libc_start_call_main
  19:     0x7fb1a4a29640 - __libc_start_main_alias_1
  20:     0x55bcb1094145 - _start
  21:                0x0 - <unknown>

The config I am using:

collect:
  skipKnownLogs: True
  workingDir: ./
  maxThreads: 50
  globalTimeout: 5
  retries: 3
  hoursToCollect: 168
  contentTypes:
    Audit.General: True
    Audit.AzureActiveDirectory: True
    Audit.Exchange: True
    Audit.SharePoint: True
    DLP.All: True 
output:
  file:
    path: 'output.csv'
    separateByContentType: True
    separator: ';'
JFHartin commented 1 month ago

Not sure if you fixed this or not yet, but I had the same issue. Granting Admin Consent in the Security--->Permissions section of the app solved it for me, as per this article: