2 Replies Latest reply on Oct 2, 2017 12:18 PM by rakusust

    Office 365 logs are not current in ESM

      Hello everyone,

       

       

      I am collecting Office 365 logs but for some reason I am not getting current logs in ESM. It's delayed.

       

      I can see the 'IN' folder is increasing and little activity within 'OUT' folder.

       

      However, '/var/log/gwapi.00' in Receiver is showing following error:

       

           Sep 25 20:28:17 L_MSGWRT   35629|[            /22] in/data.20170925201317000 closing (1673 records)

           Sep 25 20:43:17 L_MSGWRT   35629|[            /22] in/data.20170925202817000 closing (2013 records)

           Sep 25 20:46:48 L_ERROR    35633|DSR_Azure_Activity_2[22] -- HTTP response code was: 403

           Sep 25 20:46:48 L_ERROR    35633|DSR_Azure_Activity_2[22] -- DoRequest: BuildRequest Failed [CONN_FAIL]

           Sep 25 20:46:48 L_WARN     35633|DSR_Azure_Activity_2[22] -- DoRequest Failed w/ 'CONN_FAIL'.

           Sep 25 20:46:48 L_ERROR    35633|DSR_Azure_Activity_2[22] -- HTTP CODE: 403

           Sep 25 20:46:55 L_ERROR    35633|DSR_Azure_Activity_2[22] -- HTTP response code was: 403

           Sep 25 20:46:55 L_ERROR    35633|DSR_Azure_Activity_2[22] -- DoRequest: BuildRequest Failed [CONN_FAIL]

           Sep 25 20:46:55 L_WARN     35633|DSR_Azure_Activity_2[22] -- DoRequest Failed w/ 'CONN_FAIL'.

           Sep 25 20:46:55 L_ERROR    35633|DSR_Azure_Activity_2[22] -- HTTP CODE: 403

       

       

      I have already re-wrote and rolled out policies but still no avail.

       

      Any ideas please?

       

       

      Thank you.

        • 1. Re: Office 365 logs are not current in ESM
          andy777

          If you're seeing logs accumulate in the in directory then you know that the communication with the API is working. I agree that if things aren't being parsed from the next step would be to determine the rules were being written out correctly and available in /etc/NitroGuard/asp/policy under the number that matched the ID listed in /etc/NitroGuard/thirdparty.conf.

           

          I don't think the errors above are the root cause of this (assuming the log isn't full of them). I see occasional 403's with O365 also and as already mentioned, you have a growing 'in' directory. I think you're on the right path though you might need to get support involved if the rules look good on the Receiver.

          • 2. Re: Office 365 logs are not current in ESM

            Thank you.
            Yeah, I can see rules are there in the /etc/NitroGuard/asp/policy folder.

             

            However, it started working again after 6 days without making any changes.


            As per McAfee support (Tier 2), the logs were always 7 hours behind in the 'IN' directly and recommended to change that in the Azure platform but it started working without making any changes which is weird!

             

             

            Regards.