AzureActiveDirectory Logs not pulled
andy13th opened this issue · 3 comments
I have been using o365beat to pull in logs successfully from 3 different tenants for the last couple of months. As of the 1st of November no AzureActiveDirectory logs have been pulled. I have checked the logs, o365beat.txt and the config file,
o365beat.yml.txt and cannot find an error.
Hi, I have exactly the same issue with several tenants/installations. All stopped in the night from Oct 29 to 30. I already debugged a little in the logs, it seems that Microsoft does not respond to the API request as expected anymore:
https://manage.office.com/api/v1.0/<tenant-id>/activity/feed/subscriptions/content
See debug log details here:
2020-11-02T12:58:12.552+0100 DEBUG [api] beater/o365beat.go:243 getting available content from https://manage.office.com/api/v1.0/<tenant-id>/activity/feed/subscriptions/content of type Audit.AzureActiveDirectory between 2020-11-01 12:58:12.552718141 +0100 CET m=-86399.488911711 and 2020-11-02 12:58:12.552718141 +0100 CET m=+0.511088289 2020-11-02T12:58:12.552+0100 WARN beater/o365beat.go:249 start (2020-11-01 12:58:12.552718141 +0100 CET m=-86399.488911711) must be <=24 hrs ago, resetting 2020-11-02T12:58:12.552+0100 DEBUG [api] beater/o365beat.go:115 issuing api request: https://manage.office.com/api/v1.0/<tenant-id>/activity/feed/subscriptions/content?PublisherIdentifier=<tenant-id>&contentType=Audit.AzureActiveDirectory&endTime=2020-11-02T11%3A58%3A12&startTime=2020-11-01T11%3A58%3A12 2020-11-02T12:58:12.640+0100 INFO beater/o365beat.go:292 got 0 available content
Formerly there was quite some content returned on that API request.
ExchangeAudit and SharepointAudit continue working properly, though.
Update, just a side note: one installation was stopped for a couple of days; it did not fetch the logs for ~a week. When restarted on 2nd of Nov it was able to fetch all missing logs - until day 29 of Oct. So it seem the API is still working properly, but Microsoft is not handing over the information to the message queue anymore.
Is this still an issue?
Hi, after a couple of days / weeks (different customer, different time) Microsoft recovered it's service and is back responding properly on the API requests. It also seems that the queue did not get (completely) flushed by MS in the meantime, so past events could get polled. I suggest to close this issue.