Office365 integration no longer receiving UserLoggedIn events

106 views
Skip to first unread message

Nathan D.

unread,
Dec 11, 2025, 10:11:25 AM (6 days ago) Dec 11
to Wazuh | Mailing List
Hi everyone,

I am using the native Wazuh Office 365 integration as described in the documentation:
https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html

Everything was working fine until recently.
I used to receive Microsoft 365 UserLoggedIn and UserLoginFailed events without any problems. From the 4 Tenants I had registered

However, since yesterday, I am only receiving:

  • UserLoginFailed

  • Update user

  • Search

  • Add service principal

  • other AzureAD / Exchange audit events

    But I am no longer receiving any UserLoggedIn events at all, even though:

    • The event still appears correctly when running Search-UnifiedAuditLog in PowerShell.

    • My Azure AD application still has the required API permissions.

    • The following subscriptions are configured in ossec.conf

    <subscriptions>
        <subscription>Audit.SharePoint</subscription>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.General</subscription>
        <subscription>Audit.Exchange</subscription>
    </subscriptions>

    But since I upgraded to version 4.14.1 yesterday, I am no longer receiving events either in the dashboard or in the alert.json file.

    I don't know what happened
    Thank you very much for your help! 
    DRISS N.



Hein Khant Shane

unread,
Dec 11, 2025, 11:21:38 AM (6 days ago) Dec 11
to Wazuh | Mailing List
same as you, I also have not received logs.

Jorge Ardila

unread,
Dec 11, 2025, 12:52:52 PM (6 days ago) Dec 11
to Wazuh | Mailing List
Hi Nathan D.

To investigate this behavior, we need your help by providing the following information:  
  • The full <office365> block from the ossec.conf file.
    (Please remove or mask any sensitive credentials.)  
  • Relevant excerpts from ossec.log related to Office365
    (the latest 5–10 minutes, especially lines referencing Office365, Azure, subscriptions, audit events, warnings, or errors). path:  /var/ossec/logs/ossec.log
  • Relevant excerpts from integrations.log
    from the same time window when the UserLoggedIn events should appear.    path:  /var/ossec/logs/integrations.log
Thanks.

Anil Kumar

unread,
Dec 11, 2025, 1:56:56 PM (6 days ago) Dec 11
to Hein Khant Shane, Wazuh | Mailing List
Same here. Looks like this upgrade has something to it. 


From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Hein Khant Shane <heinkha...@gmail.com>
Sent: Thursday, December 11, 2025 9:51:33 pm
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Office365 integration no longer receiving UserLoggedIn events

same as you, I also have not received logs.

On Thursday, December 11, 2025 at 9:41:25 PM UTC+6:30 Nathan D. wrote:
Hi everyone,

I am using the native Wazuh Office 365 integration as described in the documentation:
https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html

Everything was working fine until recently.
I used to receive Microsoft 365 UserLoggedIn and UserLoginFailed events without any problems. From the 4 Tenants I had registered

However, since yesterday, I am only receiving:


    --
    You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
    To view this discussion visit https://groups.google.com/d/msgid/wazuh/fccfe2b1-50c0-4874-bcc5-47df7ac2ff4fn%40googlegroups.com.

    Jorge Ardila

    unread,
    Dec 14, 2025, 5:17:20 PM (3 days ago) Dec 14
    to Wazuh | Mailing List
    Hi Nathan.

    I created an environment using Wazuh 4.14.1 on my side, and the events are being received correctly. Could you please share the logs requested earlier, as well as the contents of the alerts.log file?  

    Thanks

    Nathan D.

    unread,
    Dec 14, 2025, 5:17:23 PM (3 days ago) Dec 14
    to Wazuh | Mailing List
    Hello everyone,

    Thank you for your feedback.

    Here is my Office 365 block in the ossec.conf file. :
    <office365>
        <enabled>yes</enabled>
        <interval>1m</interval>
        <curl_max_size>1M</curl_max_size>
        <only_future_events>yes</only_future_events>

        <api_auth>
          <tenant_id>TENANT_ID</tenant_id>
          <client_id>APP_ID</client_id>
          <client_secret>SECRET</client_secret>
          <api_type>commercial</api_type>
        </api_auth>

        <api_auth>
          <tenant_id>TENANT_ID</tenant_id>
          <client_id>APP_ID</client_id>
          <client_secret>SECRET</client_secret>
          <api_type>commercial</api_type>
        </api_auth>

        <api_auth>
          <tenant_id>TENANT_ID</tenant_id>
          <client_id>APP_ID</client_id>
          <client_secret>SECRET</client_secret>
          <api_type>commercial</api_type>
        </api_auth>

        <api_auth>
          <tenant_id>TENANT_ID</tenant_id>
          <client_id>APP_ID</client_id>
          <client_secret>SECRET</client_secret>
          <api_type>commercial</api_type>
        </api_auth>


        <subscriptions>
          <subscription>Audit.SharePoint</subscription>
          <subscription>Audit.AzureActiveDirectory</subscription>
          <subscription>Audit.General</subscription>
          <subscription>Audit.Exchange</subscription>
        </subscriptions>
      </office365>

    As for the log files, I admit that I cannot see anything in them. Do I need to enable an option to get the Office 365 logs, as I have never had them before?

    Thank you and have a nice day !

    Nathan D.

    unread,
    Dec 15, 2025, 7:05:32 AM (2 days ago) Dec 15
    to Wazuh | Mailing List
    I'll get back to you.

    I sent you two screenshots.

    One shows what I receive in ossec.log, and personally, I think it works.

    The second shows an example of what I receive in alert.log, but I receive several like this.

    However, for integration.log, I don't see anything related to Office365.
    Osseclogoffice365.png
    Exampleofalertlog.png

    Jorge Ardila

    unread,
    Dec 15, 2025, 9:16:59 AM (2 days ago) Dec 15
    to Wazuh | Mailing List

    Good day, Nathan.

    Could you please let me know which version you were using prior to the upgrade?

    Additionally, could you share the last 5–10 minutes of your log files in TXT format? Please perform any Microsoft 365 activity that generates logs during that time window.

    Thanks.

    Nathan D.

    unread,
    Dec 15, 2025, 11:17:26 AM (2 days ago) Dec 15
    to Wazuh | Mailing List
    That's all I can get by running ‘cat’ on my files: ossec.log and alert.log.
    I hope that's enough, but if you need anything else, I'm here.

    Otherwise, I'm still getting alerts in alert.json and in my dashboard.
    office365_last_10min.txt
    ossec_last_10min.txt

    Nathan D.

    unread,
    Dec 16, 2025, 3:18:32 AM (yesterday) Dec 16
    to Wazuh | Mailing List
    Hello,

    I see that I forgot to specify my version before the upgrade.

    Wazuh was at 4.13.1.

    Have a nice day

    Nathan D.

    unread,
    Dec 16, 2025, 5:52:55 AM (yesterday) Dec 16
    to Wazuh | Mailing List
    I just found the problem. When I updated, the ruleset was reset to default, I guess.

    And I only keep rules >=5, and this rule is level 3, so I couldn't see it in my dashboard.

    I wanted to let you know, and thank you!
    Have a nice day.

    Jorge Ardila

    unread,
    Dec 16, 2025, 9:58:06 AM (yesterday) Dec 16
    to Wazuh | Mailing List
    Hello Nathan.

    Thank you for letting us know that the problem was solved. 

    Have a nice day.
    Reply all
    Reply to author
    Forward
    0 new messages