Captain
Captain
1249 views

Office 365

Our O365 just stop processing logs and it gives me the following error:

2017-03-20 15:08:48,410][WARN ][default.com.arcsight.agent.loadable.agent._Office365RestApiConnector][processEvents] The available content info [{"contentCreated":"2017-03-20T20:08:27.373Z","contentUri":"https://manage.office.com/api/v1.0/xxx11111-xx11-1111-xx11-1111111496X1/activity/feed/audit/20170320200827373004919$20170320200827373004919$audit_sharepoint$Audit_SharePoint","contentId":"20170320200827373004919$20170320200827373004919$audit_sharepoint$Audit_SharePoint","contentType":"Audit.SharePoint","contentExpiration":"2017-03-27T20:08:27.373Z"}] has expired. No events processed.

[2017-03-20 15:08:48,410][ERROR][default.com.arcsight.agent.bu.d][hasExpired] Failed to parse the available content expiration date [2017-03-27T20:08:40.502Z].

[2017-03-20 15:08:48,410][ERROR][default.com.arcsight.agent.bu.d][hasExpired]

java.text.ParseException: Unparseable date: "2017-03-27T20:08:40.502Z"

  at java.text.DateFormat.parse(DateFormat.java:366)

Labels (2)
0 Likes
8 Replies
Ensign
Ensign

I have the same issue. I opened a case at software support.

I received the following information:

- the problem is due to a change in timestamp format on certain fields coming from Office 365 (for example hasExpired, contentExpiration). Previously the format went to only seconds, now it includes milliseconds ;

- we have an existing bug open for this, with refernece CON-18868.

- it looks like this cannot be fixed with an override, because it requires a fix to the framework (software)

I also opened a case at Microsoft. I will keep you updated.

0 Likes
Captain
Captain

Thanks Sander,  I opened a ticket also with HP and got the same feedback.

0 Likes
Captain
Captain

This issue has been fix now with ArcSight-7.5.1.7998.0-Connector.

0 Likes
Commodore Commodore
Commodore

Hi Richel,

Thank you for sharing this. I just updated to parser 7.5.2.8001.0 and the same error about parsing the date still appears. I also tried 7.5.1.7998.0. The parser update to 7.5.1.7998 resolved the issue for you? I opened a ticket with Microsoft in the meantime.

Thanks!

0 Likes
Ensign
Ensign

I received the same fix from HPE. From what I was told, the next framework release will have this fix embedded.

Contacting Microsoft resulted in the following comment:

"From our side we have always used the milliseconds on the timestamps of the logs, although this may be a change to that specific log that still was not implemented, this type of increment will not be erased and it is not possible to change, as this is a configuration on the API which is available to everyone."

@Katherine Riley parser updates will not solve this issue. You can contact HPE support and ask for the fix as a temporary solution.

0 Likes
Commodore Commodore
Commodore

Thank you for the update, ! Much appreciated.

0 Likes
Commodore Commodore
Commodore

HP provided me with a version of the SmartConnector framework (7.5.1.7998.0) that is not currently posted on their downloads page or in the Marketplace. After installing it, the date issue has been resolved.

Thanks again!

0 Likes
Captain
Captain

The officially fix will be the  new framework 7.6 that will be release end of month I think.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.