ContactSupportBlogPartner Portal

Shipping Office 365 audit logs to Graylog with O365beat

November 22, 2019

O365beat is an exceptionally useful open-source log shipping tool created by counteractive. With a few simple tweaks, it can be used to fetch Office 365 audit logs from the Office 365 Management Activity API and forward them to Graylog. The best part of this tool is that it leverages all the flexibility and power of the beats platforms such as libbeat.

Installing O365beat

Installing O365beat is quite simple if you follow the instructions you will find on GitHub. First, you need to turn on audit log search in your Office 365 tenancy and give O365beat access to the Office 365 Management API. The Microsoft documentation should include all the necessary instructions.

Then, just use the pre-built binaries that come packed with the credential information required to connect to the audit logs for your tenancy by automatically pulling it from your environment. You can also hard-code those values if you prefer. If you get authenticating errors it may be due to O365beat being unable to find its configuration. In this case, you need to specify where it should look for its configuration explicitly.

Sending logs to Graylog with Logstash

In order to send logs to Graylog, you should configure O365beat to send your logs with Logstash in the o365beat.yml. Configure the file like below:

You can copy paste the text you need from here:

Comment out the following lines:

output.elasticsearch:

hosts: ["localhost:9200"]

Uncomment the following lines and to point to your Beats input on Graylog

output.logstash:

 # The Logstash hosts

 hosts: [“<graylogIp>:5044"]

Choosing the right log shipper

It may happen that at higher loads Logstash gets stalled or becomes a bit slower and more unstable. In this case, you may wish to try Logstash Azure Event Hub since it still packages the logs and send them onto the wire in the same way, but it goes off and grab the logs in a slightly different way. Ultimately, your mileage may vary, so feel free to experiment both methods to find out which one is more stable at higher loads since they both do the same job at getting logs from O365beat.

If you still have any doubt or want to know more about how to configure O365beat on Graylog, feel free to check out our Community. Once again, thanks to counteractive for building this incredibly useful tool and happy logging to everybody else!

Written By
Nick Carstensen

Nick has been in the security industry for over fifteen years with experience in Security and the Log/SIEM Industry. Nick is currently a Technical Product Evangelist for Graylog, creating content and helping with their social presence.

@
NickCarstensen1
Add Graylog to your RSS feed
How to use RSS
RSS feeds allow you to see when websites have added new content. You can get the new content as soon as it's published, without having to visit the website. To start getting RSS feeds you will need a RSS feed reader on your device.
Back to Blog Posts

Stay In The Know

Get Graylog email updates and be the first to know about new content, product updates, and tips and tricks!