Office 365 into Graylog

Graylog Central (peer support)
1

Hi all, I’ve attempted to use the Office 365 script found here to get our 365 logs into Graylog: https://marketplace.graylog.org/addons/c2847486-0cbc-46da-b1ee-2b19f9b9640e but am not seeing any logs in Graylog so far for this input. I know the Azure/365 API side works as we had it running with a different SIEM doing the same thing.

The steps I’ve taken have been to download the scripts from Git onto the Graylog machine and run the suggested command in the Github instructions. There are no errors given and it appears to run the script, as it loads for a few seconds and then gives me my prompt back, but nothing seems to happen.

Has anyone got any ideas? Or perhaps a better way of getting 365 logs into Graylog?

2

I know how annoying it is for other people in the future who are struggling with the same issue as this and there’s no solution posted, so here is how I got this working for me:

  1. I downloaded the office 365 audit collector scripts from GitHub here https://github.com/ddbnl/office365-audit-log-collector to my Graylog Ubuntu server.

  2. I extracted the zip file to obtain all of the separate .py scripts.

  3. Although it seemed counter intuitive, I ran the AuditLogSubscriber.py script BEFORE running the AuditLogCollector.py script. This seemed to make it work for me.

  4. Should be number 1 really, but I’d already created an application in Azure that had permissions to read the 365 audit logs, following the instructions here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#adding-an-application.

  5. When creating the Azure application, make sure to write down your TenantID, ClientID/Key of the application and Secret Key that is generated when creating the application. These are needed for the next step.

  6. Fill in the above details when prompted to after running the AuditLogSubscriber Script. Also enable all of the options (Azure AD, exchange, sharepoint etc).

  7. On Graylog, create a new input. This should be a Raw TCP input, with only the node and port number needing to be set. I also set the source override but that’s not necessary.

8 . Next run the AuditLogCollector.py script. I used the following command: python3 AuditLogCollector.py ‘my tenant id’ ‘my client id/key’ ‘my secret key’ --exchange --dlp --azure_ad --general --sharepoint -g -gA 10.x.x.x -gP 6xxx.

  1. For info, -gA is your Graylog IP and -gP is the port you will be using on Graylog for the input.

  2. Once you run the AuditLogCollector.py command above, you should see unformatted log data arriving in Graylog. You can check the AuditLogCollector.log file that will have been created in the same folder that you run the py script in if you experience any errors. You can also add “-d” to the command above to log verbose debugging.

  3. I noticed that this would only grab 365 data from Azure when the AuditLogCollector.py command was run, so I made the command into a bash script and set a cron job to run every 5 minutes.

5 Likes
3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.