Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AzureActiveDirectory Logs not pulled #55

Open
andy13th opened this issue Nov 4, 2020 · 3 comments
Open

AzureActiveDirectory Logs not pulled #55

andy13th opened this issue Nov 4, 2020 · 3 comments

Comments

@andy13th
Copy link

andy13th commented Nov 4, 2020

I have been using o365beat to pull in logs successfully from 3 different tenants for the last couple of months. As of the 1st of November no AzureActiveDirectory logs have been pulled. I have checked the logs, o365beat.txt and the config file,
o365beat.yml.txt and cannot find an error.
@joda55
Copy link

joda55 commented Nov 4, 2020
edited
Loading

Hi, I have exactly the same issue with several tenants/installations. All stopped in the night from Oct 29 to 30. I already debugged a little in the logs, it seems that Microsoft does not respond to the API request as expected anymore:

https://manage.office.com/api/v1.0/<tenant-id>/activity/feed/subscriptions/content

See debug log details here:

2020-11-02T12:58:12.552+0100 DEBUG [api] beater/o365beat.go:243 getting available content from https://manage.office.com/api/v1.0/<tenant-id>/activity/feed/subscriptions/content of type Audit.AzureActiveDirectory between 2020-11-01 12:58:12.552718141 +0100 CET m=-86399.488911711 and 2020-11-02 12:58:12.552718141 +0100 CET m=+0.511088289 2020-11-02T12:58:12.552+0100 WARN beater/o365beat.go:249 start (2020-11-01 12:58:12.552718141 +0100 CET m=-86399.488911711) must be <=24 hrs ago, resetting 2020-11-02T12:58:12.552+0100 DEBUG [api] beater/o365beat.go:115 issuing api request: https://manage.office.com/api/v1.0/<tenant-id>/activity/feed/subscriptions/content?PublisherIdentifier=<tenant-id>&contentType=Audit.AzureActiveDirectory&endTime=2020-11-02T11%3A58%3A12&startTime=2020-11-01T11%3A58%3A12 2020-11-02T12:58:12.640+0100 INFO beater/o365beat.go:292 got 0 available content

Formerly there was quite some content returned on that API request.

ExchangeAudit and SharepointAudit continue working properly, though.

Update, just a side note: one installation was stopped for a couple of days; it did not fetch the logs for ~a week. When restarted on 2nd of Nov it was able to fetch all missing logs - until day 29 of Oct. So it seem the API is still working properly, but Microsoft is not handing over the information to the message queue anymore.

@adammike
Copy link

Is this still an issue?

@joda55
Copy link

joda55 commented May 3, 2021

Hi, after a couple of days / weeks (different customer, different time) Microsoft recovered it's service and is back responding properly on the API requests. It also seems that the queue did not get (completely) flushed by MS in the meantime, so past events could get polled. I suggest to close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andy13th @adammike @joda55