Shipping Office 365 audit logs to Graylog with O365beat

O365beat is an exceptionally useful open-source log shipping tool created by counteractive. With a few simple tweaks, it can be used to fetch Office 365 audit logs from the Office 365 Management Activity API and forward them to Graylog. The best part of this tool is that it leverages all the flexibility and power of the beats platforms such as libbeat.

Installing O365beat

Installing O365beat is quite simple if you follow the instructions you will find on GitHub. First, you need to turn on audit log search in your Office 365 tenancy and give O365beat access to the Office 365 Management API. The Microsoft documentation should include all the necessary instructions.

Then, just use the pre-built binaries that come packed with the credential information required to connect to the audit logs for your tenancy by automatically pulling it from your environment. You can also hard-code those values if you prefer. If you get authenticating errors it may be due to O365beat being unable to find its configuration. In this case, you need to specify where it should look for its configuration explicitly.

Sending logs to Graylog with Logstash

In order to send logs to Graylog, you should configure O365beat to send your logs with Logstash in the o365beat.yml. Configure the file like below:

You can copy paste the text you need from here:

Comment out the following lines:

output.elasticsearch:

hosts: ["localhost:9200"]

Uncomment the following lines and to point to your Beats input on Graylog

output.logstash:

 # The Logstash hosts

 hosts: [“<graylogIp>:5044"]

Choosing the right log shipper

It may happen that at higher loads Logstash gets stalled or becomes a bit slower and more unstable. In this case, you may wish to try Logstash Azure Event Hub since it still packages the logs and send them onto the wire in the same way, but it goes off and grab the logs in a slightly different way. Ultimately, your mileage may vary, so feel free to experiment both methods to find out which one is more stable at higher loads since they both do the same job at getting logs from O365beat.

If you still have any doubt or want to know more about how to configure O365beat on Graylog, feel free to check out our Community. Once again, thanks to counteractive for building this incredibly useful tool and happy logging to everybody else!

Contact sales