Highlighted
Honored Contributor.
Honored Contributor.
1808 views

Office 365 Exchange Message Tracking logs - How to

Has anyone come up with a neat solution to exchange online tracking (tracing) logs via Office 365? We have the supported Office365 connector running and operation but it doesnt look like that connector will retried message trace logs. They dont appear to be included in the Management API that the Office365 connector reads from. 

I have explored the Splunk offerings which appear to be better. They have an office365 API solution very similar to the ArcSight office365 connector but then an additional 'add-on' app for splunk that calls the Message Trace Audit Report API for message tracking. 

I guess the solution is to build a flexconnector to read these events but i dont want to reinvent the wheel if we're missing a trick somewhere?

0 Likes
5 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Re: Office 365 Exchange Message Tracking logs - How to

Hello,

I have a solution with which you could get this to work.

1. Use powershell script to pull the logs from 0365 and dump it to a local directory. ( You can use $pass = Get-Content to store the password in a .enc file as a secure string and make the script to use it automatically without having to enter the credentials often).

2. Schedule the script to run for a specific duration.

3.. Use a flex-file reader to parse the logs.

I have deployed this solution many times and had success with it. Let me know if you need the sample script i could share it with you.

 

regards

Sharan Bhat

Highlighted
Honored Contributor.
Honored Contributor.

Re: Office 365 Exchange Message Tracking logs - How to

Hi Sharan,

A copy of the script would be great thank you!

I too have a support ticket open but just going back and forth. 

I asked support to verify that the connector should or shouldnt pull exchange tracking/tracing logs via this connector. Still no definitive answer. They have said that the Connector pulls everything from the management API made available in the O365 portal as per the documentation. Parsed or not parsed. Therefore if the tracking logs were made available we'd see them as unparsed. The have deferred the case to Microsoft for us to find out whats available through their API.

We have set the following in the connector properties file:

agents[0].content.types.more=Audit.General,DLP.All
agents[0].unparsedevents.log.enabled=true

to make sure we get everything out.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Office 365 Exchange Message Tracking logs - How to

Hello,

 

opologize for the delay. l am attaching the sample script. You have to use a parser to parse them.

 

please modify accordingly. Let me know if you need any help.

 

regards

Sharan Bhat

Highlighted
Respected Contributor.
Respected Contributor.

Re: Office 365 Exchange Message Tracking logs - How to

Support had told me that there was no other option with respect to the 0365 connector and they have included this as a feature request. So this is the only option for now.

 

regards

Sharan Bhat

Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Office 365 Exchange Message Tracking logs - How to

hello guyes. 

do you have any updated script? the PowerShell script is still working good?

thank you!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.