Skip to content

Commit

Permalink
Merge pull request #60 from ddbnl/master
Browse files Browse the repository at this point in the history
master
  • Loading branch information
ddbnl authored Mar 10, 2024
2 parents ac94b5d + ee00ff2 commit 4223ea6
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 27 deletions.
55 changes: 30 additions & 25 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,30 +57,6 @@ See the following link for more info on the management APIs: https://msdn.micros
- Output to Graylog/fluentd for full audit trails in SIEM
- Etc.

## Latest changes:
- Full rust rewrite
- Deprecated 'resume' parameter.
- Added native timestamp field to logs for graylog output
- Added fluentd support (thanks @owentl)
- Added Azure Blob and Azure Table outputs
- Added SQL output for Power BI
- Changed file to CSV output
- Added PRTG output
- Added filters
- Added YAML config file
- Added a GUI for Windows
- Added executables for Windows and Linux
- Added Azure Log Analytics Workspace OMS output
- Added parameter to resume from last run time (use to not miss any logs when script hasn't run for a while)
- Added parameter for amount of hours or days to go back and look for content
- Integrated bug fixes from pull requests, thank you!
- Fix busy loop when connection problem by @furiel
- New urlencoding for client_secret by @kalimer0x00
- Fixed bug where script exited prematurely
- Don't start graylog output unnecessarily
- Fixed file output


## Instructions:

### Onboarding (one time only):
Expand All @@ -107,7 +83,34 @@ See the following link for more info on the management APIs: https://msdn.micros

### Running the collector:

You can schedule to run the executable with CRON or Task Scheduler.
#### From container (recommended)

A prebuilt container is available. If you are on a machine with docker available,
you can run the tool through following steps:

1. Make sure a config file is available (see "/ConfigExamples" for details). Let's say the file is at "/configs/config.yaml"
2. Run the following docker command:
- Note we create a volume (/config), binding the local config folder to the container
- We also mount a new volume (/app) that the collector can use to store known logs, so it can avoid duplicates
```
sudo docker run -d \
-v /configs:/configs \
--mount source=collector-volume,target=/app \
ghcr.io/ddbnl/office365-audit-log-collector:release \
--tenant-id "11111111-1111-1111-1111-111111111111" \
--client-id "11111111-1111-1111-1111-111111111111" \
--secret-key "1111111111111111111111111111111111" \
--config /configs/graylog.yaml
```
3. Now optionally create a CRON job or Task Scheduler task to run the container on a schedule

#### From a custom container

You can use "/Release/Dockerfile" as a starting point to create a custom container. The binary is located at
"/Release/Linux/OfficeAuditLogCollector"

#### Direct From binary
To run the command-line executable use the following syntax:

OfficeAuditLogCollector(.exe) --tenant-id %tenant_id% --client-id %client_key% --secret-key %secret_key% --config %path/to/config.yaml%
Expand All @@ -116,6 +119,8 @@ To create a config file you can start with the 'fullConfig.yaml' from the Config
possible options and some explanatory comments. Cross-reference with a config example using the output(s) of your choice, and you
should be set. Remember to remove (or comment out) all the outputs you do not intent to use.

You can schedule to run the executable with CRON or Task Scheduler.

### Setting up the collector for Graylog:
I wrote a full tutorial on the Graylog blog. You can find it
[here](https://community.graylog.org/t/collecting-office365-azuread-audit-logs-using-office-audit-collector/23925).
Binary file modified Release/Linux/OfficeAuditLogCollector
Binary file not shown.
2 changes: 1 addition & 1 deletion src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ impl Config {
};
if !invalidated {
known_content.insert(id.trim().to_string(), creation_time.trim().to_string());
} else {println!("SKIPPA: {}", line)}
}
}
}
known_content
Expand Down
1 change: 0 additions & 1 deletion src/interfaces/file_interface.rs
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,6 @@ impl FileInterface {
}
let columns = get_all_columns(logs);
let path = self.paths.get(&content_type).unwrap();
println!("HIER {}", path.clone());
let mut wrt = Writer::from_path(path).unwrap();
wrt.write_record(&columns).unwrap();

Expand Down

0 comments on commit 4223ea6

Please sign in to comment.