Issue with Office 365 Integration in Wazuh - "Unknown error"

[Faber Andres Cubides]

Hello Team,,

I am trying to integrate Office 365 with Wazuh following the official documentation Monitoring Office 365 audit logs - Monitoring Office 365. I have correctly configured Office 365, and in Wazuh, I have the following module enabled in ossec.conf:

However, when checking the logs, I only receive the following error:

I have verified the following:

• Correct credentials (tenant_id, client_id, and client_secret).

• Proper permissions in Azure AD.

• Network connectivity to Office 365 endpoints.

• Correct configuration in ossec.conf.

Despite these validations, the error persists, and I am not receiving events from Office 365 in Wazuh.

Has anyone faced a similar issue? Any suggestions on how to resolve or better debug it?

I really appreciate your support.

[Olusegun Adenrele Oyebo]

Hello Faber,

What version of Wazuh are you using?

The message log isn't clear, it fires by a malformed authentication request.

You can check your credentials manually by running a curl command:

Replace  %CLIENT_ID% ,  %CLIENT_SECRET%  and %TENANT_ID% with yours; you should receive a valid JSON response:

• curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k

I also came across a similar issue related to yours which is currently undergoing review:

• https://github.com/wazuh/wazuh/issues/16485

Let me know your findings.

Best regards.