Wazuh O365 data is not working for unknown reason

[ato clip]

Hello everyone, 

I have encountered the situation, that my Wazuh is not logging  O365 data anymore. 

Normal data from my local machines is getting collected, but not the O365. 

Wazuh itself is hosted in Azure. The secret is still active, but i made a new one just to test --> No improvement  (checked secret in: var/ossec/etc/ossec.conf).

The O365 module is active and running when i check it. 

Note: I run Wazuh 4.11 currently, as I had trouble upgrading to the current version (problem to be solved later), maybe the version does not support fresh logs? 

In some Wazuh error logs that I looked into, I found this message: 

2025/11/13 wazuh-modulesd:office365: WARNING: Sending Office365 internal message: {"integration":"office365","office365":{"actor":"wazuh","tenant_id":"XXXXXXXXXXXXXXXX","subscription_name":"Audit.AzureActiveDirectory"}}
2025/11/13 wazuh-modulesd:office365: INFO: Office365 tenant 'XXXXXXXXXXXXXXXXXXXXX', connected successfully.
2025/11/13 wazuh-modulesd:office365: WARNING: Sending Office365 internal message: {"integration":"office365","office365":{"actor":"wazuh","tenant_id":"XXXXXXXXXXXXXXX","subscription_name":"Audit.AzureActiveDirectory"}} 

(Tenant ID redacted, in Wazuh there is the proper ID).

I decided to do a rollback to a time where I am certain, that everything worked, sadly still not loading any data so I assume the problem comes from Azure (as the error message suggests). But I am not sure where to look now.  

Thank you very much for your time! 

Kind Regards,

Ato

[sofia...@wazuh.com]

Hi! First of all, I highly suggest reviewing the following documentation, which may be useful in case any steps were missed when setting up the environment for version 4.11:

- https://wazuh.com/blog/monitor-office-365-with-wazuh/
- https://documentation.wazuh.com/4.11/cloud-security/office365/monitoring-office365-activity.html

Turn on Office365 module debug and inspect the real error

Those “Sending Office365 internal message … tenant connected successfully” lines just show high-level status. To see the actual HTTP/API errors, enable module debug:

Edit /var/ossec/etc/local_internal_options.conf (create it if it doesn’t exist) and add:

wazuh_modules.debug=2

sudo systemctl restart wazuh-manager


Now watch /var/ossec/logs/ossec.log for office365 messages:

sudo tail -f /var/ossec/logs/ossec.log | grep office365


You’re looking for lines like: Unknown error while getting access token , StartSubscription [CorrId=...] ... failed.  or Unknown error in the response field.
Whatever you see there will usually map directly to a Microsoft error.

Check the Microsoft side: audit, subscriptions, and licensing
a) Make sure Audit logging is actually enabled

In the Microsoft Purview compliance portal:

1. Go to Audit.

2. Open Audit settings.

3. Ensure “Start recording user and admin activity” is turned On (Unified Audit Log).

If this was off, O365 will happily authenticate your app, but there will be no content blobs for Wazuh to pull.

b) Validate the app registration & API permissions

In Azure / Entra ID → App registrations → your Wazuh app:

Under API permissions, you should have: Office 365 Management APIs, ActivityFeed.Read, ActivityFeed.ReadDlp (if you use DLP), ServiceHealth.Read

All of them should be Application permissions with Admin consent granted.

c) Confirm subscription status via API (outside of Wazuh)

Since your logs say the tenant connects successfully, test the Microsoft API directly:

Get a token against https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token.
Call:

https://manage.office.com/api/v1.0/<tenant_id>/activity/feed/subscription

Double-check your <office365> block in ossec.conf

It’s worth verifying every field, here is an example of configuration:

<office365>

  <enabled>yes</enabled>

  <interval>1m</interval>

  <curl_max_size>1M</curl_max_size>

  <only_future_events>yes</only_future_events>

  <api_auth>

    <tenant_id>your_tenant_id</tenant_id>

    <client_id>your_client_id</client_id>

    <client_secret>your_client_secret</client_secret>

    <api_type>commercial</api_type>

  </api_auth>

  <subscriptions>

    <subscription>Audit.AzureActiveDirectory</subscription>

    <subscription>Audit.General</subscription>

  </subscriptions>

</office365>

If after trying these steps the issue is not resolved, please send me the debug logs so we can identify the problem and proceed accordingly.

[sofia...@wazuh.com]