Hello everyone !
1. Describe your incident:
I’ve been trying to get M365 Defender logs sent to Graylog.
2. Describe your environment:
-
OS Information: Debian 12 Bookworm
-
Package Version: Graylog 5.2.1 Elasticsearch : 7.1.2 MongoDB : 7.0.3
-
Service logs, configurations, and environment variables:
For the configuration of my Graylog i haven’t changed anything except for the time zone and the access to the webUI.
3. What steps have you already taken to try and solve the problem?
I have been looking for different ways to get those logs but as I am far from being a specialist I’ve encountered different problems, I’ve tried following this github GitHub - ddbnl/office365-audit-log-collector: Collect / retrieve Office365, AzureAD and DLP audit logs and output to PRTG, Azure Log Analytics Workspace, SQL, Graylog, Fluentd, and/or file output. but encountered an issue with the access_token the error was :
Starting run @ 2023-11-21 11:20:11.651446. Content: deque([‘Audit.General’, ‘Audit.AzureActiveDirectory’, ‘Audit.Exchange’, ‘Audit.SharePoint’, ‘DLP.All’]).
thread ‘’ panicked at ‘called Result::unwrap() on an Err value: reqwest::Error { kind: Decode, source: Error(“missing field access_token”, line: 1, column: 560) }’, src/api_connection.rs:57:14
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
Traceback (most recent call last):
File “AuditLogCollector.py”, line 712, in
File “AuditLogCollector.py”, line 71, in run
File “AuditLogCollector.py”, line 84, in run_once
File “AuditLogCollector.py”, line 105, in receive_results_from_rust_engine
pyo3_runtime.PanicException: called Result::unwrap() on an Err value: reqwest::Error { kind: Decode, source: Error(“missing field access_token”, line: 1, column: 560) }
[109274] Failed to execute script ‘AuditLogCollector’ due to unhandled exception!
I’ve also tried creating a script myself to pull the logs from Defender but didn’t succeed as I don’t know coding at all so I tried some stuff but was pretty bad.
4. How can the community help?
It would be great if you guys know a way to do it without paying and could tell me about it !
Thanks everyone for taking the time to read this topic. Hoping to hear from you soon !