Office 365 input keeps stopping

Hi @gsmith,

Yes, I’m using the “Office 365 Log events” input that is built into Graylog. Here is my current configuration :

image472×858 46 KB

Hre’s the sudo journalctl -xeu graylog-server command output :

juil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Illegal reflective access by retrofit2.Platform (file:/usr/share/graylog-serjuil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Please consider reporting this to the maintainers of retrofit2.Platform
juil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective ajuil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: All illegal access operations will be denied in a future release
juil. 18 08:37:21 machine_hostname systemd[1]: Stopping Graylog server...
-- Subject: L'unité (unit) graylog-server.service a commencé à s'arrêter
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a commencé à s'arrêter.
juil. 18 08:37:21 machine_hostname systemd[1]: graylog-server.service: Main process exited, code=killed, status=15/TERM
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit graylog-server.service has exited.
--
-- The process' exit code is 'killed' and its exit status is 15.
juil. 18 08:37:28 machine_hostname systemd[1]: graylog-server.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit graylog-server.service has successfully entered the 'dead' state.
juil. 18 08:37:28 machine_hostname systemd[1]: Stopped Graylog server.
-- Subject: L'unité (unit) graylog-server.service a terminé son arrêt
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a terminé son arrêt.
juil. 18 08:37:28 machine_hostname systemd[1]: Started Graylog server.
-- Subject: L'unité (unit) graylog-server.service a terminé son démarrage
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a terminé son démarrage, avec le résultat done.
juil. 18 08:37:28 machine_hostname graylog-server[22441]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in versionjuil. 18 08:37:28 machine_hostname graylog-server[22441]: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact perjuil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: An illegal reflective access operation has occurred
juil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: Illegal reflective access by retrofit2.Platform (file:/usr/share/graylog-serjuil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: Please consider reporting this to the maintainers of retrofit2.Platform
juil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective ajuil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: All illegal access operations will be denied in a future release
juil. 18 08:37:51 machine_hostname graylog-server[22441]: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
juil. 18 08:37:51 machine_hostname graylog-server[22441]: SLF4J: Defaulting to no-operation (NOP) logger implementation
juil. 18 08:37:51 machine_hostname graylog-server[22441]: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
lines 491-536/536 (END)
juil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Illegal reflective access by retrofit2.Platform (file:/usr/sjuil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Please consider reporting this to the maintainers of retrofijuil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Use --illegal-access=warn to enable warnings of further illejuil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: All illegal access operations will be denied in a future reljuil. 18 08:37:21 machine_hostname systemd[1]: Stopping Graylog server...
-- Subject: L'unité (unit) graylog-server.service a commencé à s'arrêter
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a commencé à s'arrêter.
juil. 18 08:37:21 machine_hostname systemd[1]: graylog-server.service: Main process exited, code=killed, status=15/TERM
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit graylog-server.service has exited.
--
-- The process' exit code is 'killed' and its exit status is 15.
juil. 18 08:37:28 machine_hostname systemd[1]: graylog-server.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit graylog-server.service has successfully entered the 'dead' state.
juil. 18 08:37:28 machine_hostname systemd[1]: Stopped Graylog server.
-- Subject: L'unité (unit) graylog-server.service a terminé son arrêt
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
lines 491-519/536 95%
juil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Illegal reflective access by retrofit2.Platform (file:/usr/share/graylog-server/graylog.jar) to constructor java.lang.invoke.MethodHandles$Lookup(j
juil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Please consider reporting this to the maintainers of retrofit2.Platform
juil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
juil. 18 08:37:10 machine_hostname graylog-server[22172]: WARNING: All illegal access operations will be denied in a future release
juil. 18 08:37:21 machine_hostname systemd[1]: Stopping Graylog server...
-- Subject: L'unité (unit) graylog-server.service a commencé à s'arrêter
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a commencé à s'arrêter.
juil. 18 08:37:21 machine_hostname systemd[1]: graylog-server.service: Main process exited, code=killed, status=15/TERM
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit graylog-server.service has exited.
--
-- The process' exit code is 'killed' and its exit status is 15.
juil. 18 08:37:28 machine_hostname systemd[1]: graylog-server.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit graylog-server.service has successfully entered the 'dead' state.
juil. 18 08:37:28 machine_hostname systemd[1]: Stopped Graylog server.
-- Subject: L'unité (unit) graylog-server.service a terminé son arrêt
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a terminé son arrêt.
juil. 18 08:37:28 machine_hostname systemd[1]: Started Graylog server.
-- Subject: L'unité (unit) graylog-server.service a terminé son démarrage
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a terminé son démarrage, avec le résultat done.
juil. 18 08:37:28 machine_hostname graylog-server[22441]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
juil. 18 08:37:28 machine_hostname graylog-server[22441]: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
juil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: An illegal reflective access operation has occurred
juil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: Illegal reflective access by retrofit2.Platform (file:/usr/share/graylog-server/graylog.jar) to constructor java.lang.invoke.MethodHandles$Lookup(j
juil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: Please consider reporting this to the maintainers of retrofit2.Platform
juil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
juil. 18 08:37:30 machine_hostname graylog-server[22441]: WARNING: All illegal access operations will be denied in a future release
juil. 18 08:37:51 machine_hostname graylog-server[22441]: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
juil. 18 08:37:51 machine_hostname graylog-server[22441]: SLF4J: Defaulting to no-operation (NOP) logger implementation
juil. 18 08:37:51 machine_hostname graylog-server[22441]: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

Here is a part that comes around several times il the 30 last days…

2022-07-11T07:19:23.370+02:00 INFO  [EventProcessorExecutionJob] Event processor <62b07ae129fd030c6f0b5181> is catching up on old data. Combining 60 search windows with catchUpWindowSize=3600000ms: from=2022-07-11T04:02:31.684Z to=2022-07-11T05:02:31.684Z
2022-07-11T07:19:23.506+02:00 INFO  [EventProcessorExecutionJob] Event processor <62b1863629fd030c6f0dc0c3> is catching up on old data. Combining 60 search windows with catchUpWindowSize=3600000ms: from=2022-07-11T04:01:56.491Z to=2022-07-11T05:01:56.491Z
2022-07-11T08:01:38.365+02:00 INFO  [O365PollerTask] Error fetching manifest for Content Type [AZURE_ACTIVE_DIRECTORY]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 40 attempts.]
2022-07-11T08:01:38.365+02:00 INFO  [InputStateListener] Input [Office 365 Log Events/626639d4f50e1e1453fdf9de] is now STOPPING
2022-07-11T08:01:38.373+02:00 INFO  [InputStateListener] Input [Office 365 Log Events/626639d4f50e1e1453fdf9de] is now STOPPED
2022-07-11T08:01:38.374+02:00 INFO  [InputStateListener] Input [Office 365 Log Events/626639d4f50e1e1453fdf9de] is now TERMINATED
2022-07-11T08:01:41.299+02:00 INFO  [InputStateListener] Input [Office 365 Log Events/626639d4f50e1e1453fdf9de] is now STARTING
2022-07-11T08:01:41.299+02:00 INFO  [InputStateListener] Input [Office 365 Log Events/626639d4f50e1e1453fdf9de] is now RUNNING
2022-07-11T08:01:42.977+02:00 INFO  [O365PollerTask] Error fetching manifest for Content Type [SHAREPOINT]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 1 attempts.]
2022-07-11T08:01:43.141+02:00 INFO  [O365PollerTask] Error fetching manifest for Content Type [EXCHANGE]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 1 attempts.]
2022-07-11T08:01:44.325+02:00 INFO  [O365PollerTask] Error fetching manifest for Content Type [GENERAL]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 1 attempts.]
2022-07-11T08:01:44.663+02:00 INFO  [O365PollerTask] Error fetching manifest for Content Type [DLP_ALL]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 1 attempts.]
2022-07-11T08:01:44.663+02:00 ERROR [Office365Input] The input has encountered errors while fetching data from Microsoft's O365 servers :: All attempts to fetch logs from 0365 failed
java.lang.RuntimeException: All attempts to fetch logs from 0365 failed
	at org.graylog.enterprise.integrations.office365.O365PollerTask.doRun(O365PollerTask.java:131) ~[graylog-plugin-enterprise-integrations-4.3.2.jar:?]
	at org.graylog.enterprise.integrations.office365.O365PollerTask.run(O365PollerTask.java:51) [graylog-plugin-enterprise-integrations-4.3.2.jar:?]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) [?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
	at java.lang.Thread.run(Thread.java:829) [?:?]
2022-07-11T10:01:21.489+02:00 INFO  [ReportPeriodical] Starting report generation for: Graylog
2022-07-11T10:01:21.492+02:00 INFO  [SystemJobManager] Submitted SystemJob <a6db0a30-00ef-11ed-a881-000c2946405a> [org.graylog.plugins.report.scheduler.ReportRenderSystemJob]
2022-07-11T10:01:21.493+02:00 INFO  [ReportPeriodical] Setting report scheduler configuration: 0 0 10 * * ? *
2022-07-11T10:01:21.493+02:00 INFO  [ReportPeriodical] Next report generation will be at: 2022-07-12T10:00+02:00[Europe/Paris]
2022-07-11T10:01:28.342+02:00 WARN  [RemoteBrowserService] Chrome sandboxing is currently disabled. Please validate your security settings!
2022-07-11T10:01:29.287+02:00 INFO  [SystemJobManager] SystemJob <a6db0a30-00ef-11ed-a881-000c2946405a> [org.graylog.plugins.report.scheduler.ReportRenderSystemJob] finished in 7794ms.
2022-07-11T10:52:09.084+02:00 INFO  [connection] Opened connection [connectionId{localValue:26, serverValue:13}] to localhost:27017

I can’t send you the entire file here, because it’s like 5Mb but I can email you if you want it.

Many thanks for your help, because I can’t figure out what the hell is going on…

Hello,

Thank you , I was able to see what’s going on. Couple things I noticed and to be honest some of this is out of my scope for troubleshooting. I have picked some issue that happened and perhaps it may help further our troubleshooting.

Not sure, but I did find this link about that error.

• SLF4J Error Codes

"SLF4J: Failed to load class “org.slf4j.impl.StaticLoggerBinder”.

This error from my understanding shows that it tried to connect 40 time and failed. Its either a configuration issue but not sure if it on Office side or Graylog side. Or a network issue ( i.e. ports, Selinux, etc…)

[O365PollerTask] Error fetching manifest for Content Type [AZURE_ACTIVE_DIRECTORY]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 40 attempts.]

After failed connection attempts it just failed to get logs from Microsoft’s O365 servers.

ERROR [Office365Input] The input has encountered errors while fetching data from Microsoft’s O365 servers :: All attempts to fetch logs from 0365 failed

Last, I seen this Warning, Is this Docker Environment? If so are you running Docker-Compose? If not is this Enterprise Version?

WARN [RemoteBrowserService] Chrome sandboxing is currently disabled. Please validate your security settings!

EDIT:
After looking over the Error again, I did a quick search.

All attempts to fetch logs from 0365 failed
at org.graylog.enterprise.integrations.office365.O365PollerTask.doRun(O365PollerTask.java:131) ~[graylog-plugin-enterprise-integrations-4.3.2.jar:?]

By chance do you have Enterprise/Operation license installed? If so have you contacted Customer Support?

image1266×427 39 KB

Hi @gsmith,
Thanks for your fast reply.

I will try to understand what all these logs means. If not, maybe a software reinstallation will be the solution but I hope to not have to get there.

No, it’s a virtual machine running on esxi cluster.

Well, I have an Enterprise license installed, but it’s the free one with a 2gb/day limit. I don’t really know if I can reach out to the customer support with that… But I can try !

Hello,

To be honest, I don’t think you need a fresh installation. Were missing something. What I do know about INPUTs stopping, like TLS/TCP INPUT for example. If the certificates are out dated or incorrect the input might stop, Or if there is a network port confliction, meaning you have an other port opened that the INPUT is also using it will stop.

I understand, You can also post on GitHub the dev’s might be able to shed some light on this issue.

• Sign in to GitHub · GitHub

Or you can post in Graylog Discord channel. perhaps one of these places might be able to help. To be honest I running out of ideas.

Hi @gsmith,

Well, thanks for the help you provided and the time you spent on this issue !

I’ll try these ideas, GitHub and Discord.

I wonder if it’s an issue in the OpenJDK version you have? There are depreciation warnings and I think I saw you are on version 9 where OpenJDK 17 is supported (Listed here)

Good catch defiantly over looked that.

Hi @tmacgbay,

Thanks for this hint !

I’ve installed Java 17 from the official website, and uninstalled the openjdk 11 I was previously running.

I keep you updated on the behaviours of Graylog in the next few days !

It works great again since yesterday !

If all is still ok on wednesday, I’ll mark the @tmacgbay post as a solution.

Well, sorry guys but it didn’t work out for me. I still have this issuen, even after the Java 17 environnent was installed.

Have you tries changing your polling interval?

Hi @tmacgbay,

Yes, I changed it from 1min to 5mins and the same thing happens…

Can you post your connection settings to Azure? Obfuscated where necessary of course. Settings on the Azure side would be helpful too. Can we assume that all the errors in the logs etc. posted up are the same now as they were before? If they have changed any please post those too.

Just checking in, What is kind of odd is these errors.

The input has encountered errors while fetching data from Microsoft's O365 servers :: All attempts to fetch logs from 0365 failed

[O365PollerTask] Error fetching manifest for Content Type [AZURE_ACTIVE_DIRECTORY]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 40 attempts.

Not 100% sure but it seams like MS is denying access randomly?

I agree with @gsmith - looks more like an MS side issue or perhaps in your network outside of Graylog…

Hi @tmacgbay @gsmith,

I was wondering, has Graylog 4 a cli tool ?

A (not very clean) solution would be to automatically restart the input one a day, using a cron on the server…

This might work but I don’t know how to proceed with the cron, because I ignor if ot is possible to use graylog in command line

@gmorin

I’m not sure if that would be a good route to take, if you have a issue now, it might intensify if you start patching/workaround this problem.

What have you tried the past couple days?

Hi @gsmith,

Definitely not a good idea, I agree…

I tried getting a larger interval between pollings (now at 15 mins), but Graylog or MS Tenant does not behave as expected… Still having the issue related to Java !
I also tried to check if the Office Tenant was correctly configured. Sadly, MS doesn’t show a lot of options so from what I saw all seems correctly configured on the Office side

Here are the last lines of the journalctl -xeu graylog-server command :

-- An ExecStart= process belonging to unit graylog-server.service has exited.
--
-- The process' exit code is 'killed' and its exit status is 15.
juil. 28 12:13:49 servername systemd[1]: graylog-server.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit graylog-server.service has successfully entered the 'dead' state.
juil. 28 12:13:49 servername systemd[1]: Stopped Graylog server.
-- Subject: L'unité (unit) graylog-server.service a terminé son arrêt
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a terminé son arrêt.
juil. 28 14:28:54 servername systemd[1]: Started Graylog server.
-- Subject: L'unité (unit) graylog-server.service a terminé son démarrage
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- L'unité (unit) graylog-server.service a terminé son démarrage, avec le résultat done.
juil. 28 14:28:55 servername graylog-server[16821]: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
juil. 28 14:29:12 servername graylog-server[16821]: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
juil. 28 14:29:12 servername graylog-server[16821]: SLF4J: Defaulting to no-operation (NOP) logger implementation
juil. 28 14:29:12 servername graylog-server[16821]: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

And here are the logs of the last 10 days : logs_graylog-server_last_10_days.pdf (1.1 MB)
Sorry for the PDF format, It was the only way to send you the whole 10 days logs… Graylog-server is quite chatty ^^

This is interesting because it suggests that SLF4J is resorting to no-operation on a failure to load etc.etc. If you go to the suggested web site it offers a solution. I don’t know enough to understand in depth but it may clear up some of the issues… It is certainly not normal though… seems like something else is out of date, otherwise this would happen to a lot more Graylog installations.

10 days of logs is a lot to go through (TLDR) and harder in a PDF - trimming it down to key issues would be more helpful… A 132 ERRORs to deal with - here are a few:

• Right at the top, you tor-exitnode data adapter is erroring out - needs to be fixed or removed
• 2022-08-08T14:19:40.601+02:00 ERROR [GelfCodec] Could not parse JSON
• 2022-08-08T14:19:40.602+02:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage (a bunch)
• 2022-08-09T10:01:14.239+02:00 ERROR [ReportRenderJob] Failed to send report: javax.mail.SendFailedException: Couldn’t deliver email! at (looks like a TLS cert error)
• 2022-08-09T10:51:16.059+02:00 ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource org.graylog2.contentpacks.exceptions.ContentPackException: Failed to install content pack
• mongodb.DuplicateKeyException: Write failed
  with error code 11000 and error message ‘E11000 duplicate key
  error collection: graylog.pipeline_processor_pipelines index:
  title_1 dup key: { title: “Fail2ban Actions” }’
• 2022-08-09T12:01:14.619+02:00 ERROR [AnyExceptionClassMapper]
  Unhandled exception in REST resource
  java.lang.NullPointerException: Cannot invoke
  “org.antlr.v4.runtime.Token.getText()” because “ctx.varName”
  is null
• 2022-08-09T13:26:45.654+02:00 ERROR [PipelineRuleParser]
  Unable to retrieve expression for variable regex, this is a
  bug

…

This is all a search of the logs for ERROR Although it seems that some of them are not related to your connection to Office365, there may be some that are… the cert issue (TLS) for sending e-mail raises some flags - I chopped off the rest of the error data because it wasn’t needed.

Hopefully tracking down all that will help to find where the M365 sticking point is…

Hello
@tmacgbay I read the whole PDF file took like hour, Oh boy…I see the same errors as you noticed.

@gmorin You have a few issue going on, I will also try to sum it up. I’m pretty much going to repeat the same thing at @tmacgbay stated above. So basically I concur with his statement.

ERROR [DecodingProcessor] Error processing message RawMessage
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
okhttp3.internal.http.RealInterceptorChain.proceed(RealInterce ptorChain.java:142)

Caused by: java.io.EOFException: SSL peer shut down incorrectly

That is a problem of security protocol. I am using TLSv1 but the host accept only TLSv1.1 and TLSv1.2
overcome ssl handshake error.

System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");

2022-08-09T09:21:25.787+02:00 WARN [AbstractTcpTransport]receiveBufferSize (SO_RCVBUF) for input GELFTCPInput{title=GELF TCP,
2022-08-09T10:01:14.239+02:00 ERROR [ReportRenderJob] Failed to send report: javax.mail.SendFailedException: Couldn’t deliver email!
Caused by: javax.mail.MessagingException: Could not convert socket to TLS

PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException

Seen a lot of SSL connection timeouts. I would look into you certificates and the connection to them.
My issue was the certificate was not trusted (i.e., self-signed cert and not in the trust store).

Type [AZURE_ACTIVE_DIRECTORY]:[java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 40 attempts.]
Error fetching manifest for Content Type [SHAREPOINT]: [java.lang.RuntimeException: Unable to communicate with O365 servers: Retrying failed to complete successfully after 1 attempts.

ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource java.lang.IllegalArgumentException: No definition for key’ACTION’ found, aborting.

caused by: com.mongodb.DuplicateKeyException: Write failed with error code 11000 and error message ‘E11000 duplicate key error collection: graylog.pipeline_processor_pipelines index:title_1 dup key: { title: “Fail2ban Actions” }’

So… Graylog is having troubles sending Mail, sending reports (i.e., mail), SSL connection time out’s, TOR Adaptor ( holy cow so many), connection issues with 0365 & duplicate keys in mongo.

If this was my situation, I would try to solve these issue one at a time that’s in your Graylog log file. It may help resolve this INPUT issue.