Duplicate azure-logs events

[Daniel]

Hi,

im trying to integrate entraid signins into Wazuh following the official documentation but i noticed that for some reason the module keeps downloading the same events multiple times. This is noticeable by checking the data.createdDateTime field.

This is the config of the module:

  <wodle name="azure-logs">
    <disabled>no</disabled>
    <interval>5m</interval>
    <run_on_start>yes</run_on_start>
    <graph>
      <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
      <tenantdomain>TENANT_PRIMARY_DOMAIN</tenantdomain>

      <!-- Directory Audits -->
      <request>
          <tag>microsoft-entra_id-directoryAudits</tag>
          <query>auditLogs/directoryAudits</query>
          <time_offset>1h</time_offset>
      </request>

      <!-- Sign Ins -->
      <request>
          <tag>microsoft-entra_id-signIns</tag>
          <query>auditLogs/signIns</query>
          <time_offset>1h</time_offset>
      </request>

    </graph>
  </wodle>

Any tips on how to fix this behaviour?

Regards,

Daniel D.

[juan.c...@wazuh.com]

Hi Daniel,
Wazuh keeps a checkpoint that should prevent events from being downloaded multiple times. You can check it's modification time to see if it's advancing or not after you 5 minute interval with:
`ls -l /var/ossec/queue/azure-logs/graph/<tenantdomain>/`
If there are issues writing to it, you should see errors in
`grep azure /var/ossec/logs/ossec.log | tail -n 100`
Feel free to share those logs in case you find anything relevant.

Besides these debugging steps, it's reccomended to keep the time_offset at a value closer to the interval. With your current setup, every 5 minutes you'll be downloading the last 1h of events, when you probably need something closer to those 5 minutes if you already ingested the previous events. This could also be the cause of the duplicate events. Try changing the time_offset value to something like 6 minutes.