ProfKaz
commented
8 months ago Is the first time that you are running MPARR, or was working fine previously? What's happens if you run again?
Open IMmmKI opened 8 months ago
ProfKaz
commented
8 months ago Is the first time that you are running MPARR, or was working fine previously? What's happens if you run again?
snkancharla2002
commented
8 months ago Hi I am also getting the same error message in our environment for "Audit.General". I have not issues for the remaining. Any help would be highly appreciated.
Regards Satya
ProfKaz
commented
8 months ago Hi I am also getting the same error message in our environment for "Audit.General". I have not issues for the remaining. Any help would be highly appreciated.
Regards Satya
I'm working in a new version of the collector, meanwhile you can try duplicating the MPARR Collector folder, and modifying the schemas.json file. Office 365 management API return the data in 5 groups, each group is identified in the schemas.json and all of them are set on True, having to folder you can set in one AuditGeneral in true and the rest on false an viceversa and execute 2 instances of MPARR. Please let me know if that works.
snkancharla2002
commented
7 months ago Hi Thanks for your advice. Please let us know when you release new version of collector. I followed your steps and able to run manually but when I configured as scheduled task it is not working. Is there any additional configuration required?
ProfKaz
commented
7 months ago Hi Thanks for your advice. Please let us know when you release new version of collector. I followed your steps and able to run manually but when I configured as scheduled task it is not working. Is there any additional configuration required?
I'm working in some little adjustments to the scripts, I hope to have the new ones ready soon. Now, if you are having issues to run as a task, maybe you are using Windows Server as OS, in that order of ideas is required to sign the scripts, if you user MPARR_Setup you can sign the scripts using menu number 8.
Hi there,
Is there a way to see the additional logs to why this might be happening?
`PS C:\MPARR Collector> .\MPARR_run_me.ps1
Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\MPARR Collector\MPARR_run_me.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): r
Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\MPARR Collector\MPARR_Collector.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): r Connecting to Commercial cloud. Path 'C:\MPARR Collector\Logs_Updated\' already exists Subscriptions list: Audit.AzureActiveDirectory Audit.Exchange Audit.SharePoint Audit.General DLP.All Obtaining authentication token...Authentication token obtained Creating Subscriptions.... Audit.AzureActiveDirectory : Subscription already Exists Audit.Exchange : Subscription already Exists Audit.SharePoint : Subscription already Exists Audit.General : Subscription already Exists DLP.All : Subscription already Exists Subscription Content Status Audit.AzureActiveDirectory --->enabled Audit.Exchange --->enabled Audit.General --->enabled Audit.SharePoint --->enabled DLP.All --->enabled Checking output folder path Collecting and Exporting Log data
-> Collecting log data from 'Audit.AzureActiveDirectory': OK
OK Starting export to LA... 54185 elements exported for Audit.AzureActiveDirectory.
-> Collecting log data from 'Audit.Exchange': OK
Refreshing access token... Obtaining authentication token...Authentication token obtained ERROR
{ "Message": "Authorization has been denied for this request." } Starting export to LA... 0 elements exported for Audit.Exchange.
-> Collecting log data from 'Audit.SharePoint': OK
OK Starting export to LA... 339 elements exported for Audit.SharePoint.
-> Collecting log data from 'Audit.General': OK
Refreshing access token... Obtaining authentication token...Authentication token obtained ERROR
{ "Message": "Authorization has been denied for this request." } Starting export to LA... 0 elements exported for Audit.General.
-> Collecting log data from 'DLP.All': OK
OK Starting export to LA... 465 elements exported for DLP.All. PS C:\MPARR Collector>`
I am mainly seeing this happen with the audit.general, which has caused there to be no table created in the LA account.
The audit.exchange seems to fail randomly.