Wazuh 4.13.1 Problemas Conector Office 365
53 views
Skip to first unread message
Jose Mayea
Sep 26, 2025, 12:09:25 AM (3 days ago) Sep 26
to Wazuh | Mailing List
Hello, I would appreciate your help.
Previously, I had the Office 365 connector running in version 4.12, but now with version 4.13.1 installed from scratch, it is not possible to bring events from the Office 365 connector.
The container traceability events show me the following:
2025/09/25 20:56:27 wazuh-modulesd:office365: INFO: Module Office365 started.
I don't have any more information than what is shown. This configuration worked perfectly before in 4.12.
The format used in the configuration is as follows.
 <integration>
  <enabled>yes</enabled>
  <interval>1m</interval>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>yes</only_future_events>
  <api_auth>
   <tenant_id>INSERT</tenant_id>
   <client_id>INSERT</client_id>
   <client_secret>INSERT</client_secret>
  </api_auth>
  <subscriptions>
   <subscription>Audit.General</subscription>
   <subscription>Audit.SharePoint</subscription>
   <subscription>Audit.AzureActiveDirectory</subscription>
   <subscription>Audit. Exchange</subscription>
   <subscription>Audit.SharePoint</subscription>
   <subscription>DLP.All</subscription>
  </subscriptions>
 </integration>
Best regards!
Previously, I had the Office 365 connector running in version 4.12, but now with version 4.13.1 installed from scratch, it is not possible to bring events from the Office 365 connector.
The container traceability events show me the following:
2025/09/25 20:56:27 wazuh-modulesd:office365: INFO: Module Office365 started.
I don't have any more information than what is shown. This configuration worked perfectly before in 4.12.
The format used in the configuration is as follows.
 <integration>
  <enabled>yes</enabled>
  <interval>1m</interval>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>yes</only_future_events>
  <api_auth>
   <tenant_id>INSERT</tenant_id>
   <client_id>INSERT</client_id>
   <client_secret>INSERT</client_secret>
  </api_auth>
  <subscriptions>
   <subscription>Audit.General</subscription>
   <subscription>Audit.SharePoint</subscription>
   <subscription>Audit.AzureActiveDirectory</subscription>
   <subscription>Audit. Exchange</subscription>
   <subscription>Audit.SharePoint</subscription>
   <subscription>DLP.All</subscription>
  </subscriptions>
 </integration>
Best regards!
Md. Nazmur Sakib
Sep 26, 2025, 1:25:42 AM (3 days ago) Sep 26
to Wazuh | Mailing List
Hi Jose,
I am looking into your query. I will get back to you with my findings soon.
I am looking into your query. I will get back to you with my findings soon.
Md. Nazmur Sakib
Sep 26, 2025, 1:48:20 AM (3 days ago) Sep 26
to Wazuh | Mailing List
I can see you have added the configuration under  <integration> block, but for Office 365, you need to add the configuration under <office365> block like this.
 <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id>INSERT</tenant_id>
      <client_id>INSERT</client_id>
      <client_secret>INSERT</client_secret>
    </api_auth>
    <subscriptions>
      <subscription>Audit.General</subscription>
      <subscription>Audit.SharePoint</subscription>
      <subscription>Audit.AzureActiveDirectory</subscription>
      <subscription>Audit. Exchange</subscription>
      <subscription>Audit.SharePoint</subscription>
      <subscription>DLP.All</subscription>
    </subscriptions>
 </office365>
Check the Setting up Wazuh for Office 365 monitoring document to learn more.
Let me know if this resolves your issue.
Jose Mayea
Sep 26, 2025, 9:29:16 AM (3 days ago) Sep 26
to Wazuh | Mailing List
I applied what you told me and reduced it to a module, and I also activated debug mode to obtain more information.
Connector Configuration
<ossec_config>
 <office365>
  <enabled>yes</enabled>
  <interval>1m</interval>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>yes</only_future_events>
  <api_auth>
   <tenant_id>5f8XXX-XXXXX.XXXXX</tenant_id>
   <client_id>263XXXX-XXXXX-XXXXX</client_id>
   <client_secret>XXXXX</client_secret>
   <api_type>commercial</api_type>
  </api_auth>
  <subscriptions>
   <subscription>Audit.SharePoint</subscription>
  </subscriptions>
 </office365>
</ossec_config>
Logs Manager
Connector Configuration
<ossec_config>
 <office365>
  <enabled>yes</enabled>
  <interval>1m</interval>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>yes</only_future_events>
  <api_auth>
   <client_id>263XXXX-XXXXX-XXXXX</client_id>
   <client_secret>XXXXX</client_secret>
   <api_type>commercial</api_type>
  </api_auth>
  <subscriptions>
   <subscription>Audit.SharePoint</subscription>
  </subscriptions>
 </office365>
</ossec_config>
Logs Manager
2025/09/26 12:28:07 wazuh-modulesd[20886] main.c:105 at main(): DEBUG: Created new thread for the 'office365' module.
2025/09/26 12:28:07 wazuh-modulesd:office365[20886] wm_office365.c:133 at wm_office365_main(): INFO: Module Office365 started.
2025/09/26 12:28:07 wazuh-modulesd:office365[20886] wm_office365.c:320 at wm_office365_execute_scan(): DEBUG: Scanning tenant: '5f8XXXXXX'
2025/09/26 12:28:07 wazuh-modulesd:office365[20886] wm_office365.c:368 at wm_office365_execute_scan(): DEBUG: Bookmark updated to '2025-09-26T12:28:07Z' for tenant '5f8XXXXX' and subscription 'Audit.SharePoint', waiting '60' seconds to run first scan.
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:320 at wm_office365_execute_scan(): DEBUG: Scanning tenant: '5f8fXXXXX'
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:554 at wm_office365_get_access_token(): DEBUG: Office 365 API access token URL: 'https://login.microsoftonline.com/5f8XXXXX/oauth2/v2.0/token'
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:606 at wm_office365_manage_subscription(): DEBUG: Office 365 API subscription URL: 'https://manage.office.com/api/v1.0/263XXXX/activity/feed/subscriptions/start?contentType=Audit.SharePoint'
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:656 at wm_office365_get_content_blobs(): DEBUG: Office 365 API content blobs URL: 'https://manage.office.com/api/v1.0/263XXXXXX/activity/feed/subscriptions/content?contentType=Audit.SharePoint&startTime=2025-09-26T12:28:07Z&endTime=2025-09-26T12:29:07Z'
2025/09/26 12:28:07 wazuh-modulesd:office365[20886] wm_office365.c:133 at wm_office365_main(): INFO: Module Office365 started.
2025/09/26 12:28:07 wazuh-modulesd:office365[20886] wm_office365.c:320 at wm_office365_execute_scan(): DEBUG: Scanning tenant: '5f8XXXXXX'
2025/09/26 12:28:07 wazuh-modulesd:office365[20886] wm_office365.c:368 at wm_office365_execute_scan(): DEBUG: Bookmark updated to '2025-09-26T12:28:07Z' for tenant '5f8XXXXX' and subscription 'Audit.SharePoint', waiting '60' seconds to run first scan.
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:320 at wm_office365_execute_scan(): DEBUG: Scanning tenant: '5f8fXXXXX'
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:554 at wm_office365_get_access_token(): DEBUG: Office 365 API access token URL: 'https://login.microsoftonline.com/5f8XXXXX/oauth2/v2.0/token'
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:606 at wm_office365_manage_subscription(): DEBUG: Office 365 API subscription URL: 'https://manage.office.com/api/v1.0/263XXXX/activity/feed/subscriptions/start?contentType=Audit.SharePoint'
2025/09/26 12:29:07 wazuh-modulesd:office365[20886] wm_office365.c:656 at wm_office365_get_content_blobs(): DEBUG: Office 365 API content blobs URL: 'https://manage.office.com/api/v1.0/263XXXXXX/activity/feed/subscriptions/content?contentType=Audit.SharePoint&startTime=2025-09-26T12:28:07Z&endTime=2025-09-26T12:29:07Z'
Comments: This continues indefinitely without bringing anything back.
Thank you in advance for your support.
Thank you in advance for your support.
---
Reply all
Reply to author
Forward
0 new messages