365 logs not ingested to Wazuh

[David Brindley]

Hi All,

I'm running into an issue where 365 logs are no longer being ingested to Wazuh. After having to replace the PC that was the collector agent, I re-added the below section to the ossec.conf file and recreated the app registration in EntraID. Despite that, I do not see logs in the portal or when running grep for expected email addresses on the server. 

<office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>10M</curl_max_size>
    <only_future_events>no</only_future_events>
    <api_auth>
        <tenant_id>*******************************************</tenant_id>
        <client_id>*********************************************</client_id>
        <client_secret>*******************************************</client_secret>
<api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.Exchange</subscription>
        <subscription>Audit.General</subscription>
        <subscription>Audit.SharePoint</subscription>
        <subscription>DLP.All</subscription>
    </subscriptions>
</office365>

Thanks,

David Brindley

[musbau....@wazuh.com]

Hello,

Could you please check the logs in /var/ossec/logs/ossec.log. 

The challenge you're experecing could be as a result of

1. Incorrect Authentication: The client_id (application ID), tenant_id, or client_secret in the ossec.conf file does not match the new Azure App Registration details.

2. Missing API Permissions: The new Azure App Registration is missing the required Office 365 Management API permissions (ActivityFeed.Read).

3. Configuration Error: The integration block in the ossec.conf file might be malformed or placed incorrectly.

4. Admin Consent: The required permissions for the new App Registration have not been granted Admin Consent in Azure.
   
   Regards, 

[David Brindley]

Hi Musbau,

Are there any keywords I can search for?

Thanks,

[musbau....@wazuh.com]

Hello,

You can use the command below to check for error logs.

tail -f /var/ossec/logs/ossec.log | grep -i "error"

Regards,

[David Brindley]

Hi Musbau,

I ran the command but did not get an output. 

Thanks,

David Brindley

[musbau....@wazuh.com]

Hi,

Could you please check the Wazuh manager's full log around the time of restart? This could give insights if they're any errors with the integration. Also ensure the client secret hasn't expired in Azure AD. You should  also verify that the App Registration in Azure AD has the necessary permissions:

AuditLog.Read.All

ActivityFeed.Read

ActivityFeed.ReadDlp

ServiceHealth.Read

You can also replace you config with this below.

<ossec_config>

 <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>

    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id>xxxxxxxxxx</tenant_id>
      <client_id>xxxxxxxxxxx</client_id>
      <client_secret>xxxxxxxx</client_secret>

      <api_type>commercial</api_type>
    </api_auth>
<subscriptions>
      <subscription>Audit.AzureActiveDirectory</subscription>

      <subscription>Audit.General</subscription>
       <subscription>Audit.Exchange</subscription>

       <subscription>Audit.SharePoint</subscription>
       <subscription>DLP.All</subscription>
    </subscriptions>
  </office365>

</ossec_config>

Also, you need enable API audit logging and it takes 24h to have effect.

Please look at this documentation below to further assist with that

https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#enable-unified-audit-logging-in-office-365

[David Brindley]

Hi Musbau,

I checked the logs again after a reboot and haven't seen anything relevant. Also re-ran the grep you provided with no results. Some additional information, we have multiple collector agents at different organizations collecting 365 logs and I confirmed they are being ingested into Wazuh with the same ossec config and api permissions. 

Thanks,
David Brindley