o365beat icon indicating copy to clipboard operation
o365beat copied to clipboard

Published 20 hours ago verified publisher icon counteractive

Log file is not getting created

Open sriramb12 opened this issue 1 year ago • 0 comments

There are 2 issues

  1. /var/log/o365beat is not created even if manually created, there are no log files being created
  • the Azure AD data is not getting collected. it does not create the file. The same worked earlier

[root@ models]# systemctl status o365beat -l ● o365beat.service - Shipper for Office 365 logs from Management Activities API. Loaded: loaded (/usr/lib/systemd/system/o365beat.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-08-26 12:19:11 AWST; 412ms ago Docs: https://www.elastic.co/products/beats/o365beat Main PID: 2687 (o365beat) Memory: 5.6M CGroup: /system.slice/o365beat.service └─2687 /usr/share/o365beat/bin/o365beat -e -c /etc/o365beat/o365beat.yml -path.home /usr/share/o365beat -path.config /etc/o365beat -path.data /var/lib/o365beat -path.logs /var/log/o365beat

Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO instance/beat.go:297 Setup Beat: o365beat; Version: 1.5.1 Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO fileout/file.go:98 Initialized file output. path=/home/o365beat/o365.log max_size_bytes=10485760 max_backups=7 permissions=-rw------- Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.075+0800 INFO [publisher] pipeline/module.go:97 Beat name: crystaleye.lan Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO instance/beat.go:429 o365beat start running. Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:459 o365beat is running! Hit CTRL-C to stop it. Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:203 enabling subscriptions for configured content types: [Audit.AzureActiveDirectory Audit.Exchange Audit.SharePoint Audit.General] Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:164 getting content subscriptions Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:106 auth nil or expired, re-authenticating Aug 26 12:19:11 crystaleye.lan o365beat[2687]: 2022-08-26T12:19:11.076+0800 INFO beater/o365beat.go:133 authenticating via https://login.microsoftonline.com/tkqlm.onmicrosoft.com/oauth2/token?api-version=1.0 [root@crystaleye models]# ls -l /home/o365beat/ total 0

sriramb12 avatar Aug 26 '22 10:08 sriramb12