Page Comparison

Table of Contents

minLevel	2
maxLevel	2
type	flat

Service description

...

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration	Details
Microsot Azure account	It is a requirement to have an account so you can run this collector.
Microsoft 365 account	It is a requirement to have an account so you can run this collector.

Info

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

Office 365 is a widely adopted productivity suite from Microsoft. The suite includes Microsoft Exchange Online collaboration service for email, calendars, contacts, and tasks. Message tracking, or message tracing, as it is called in Office 365, is one of the most basic tools used by administrators to monitor the email flow. As emails travel through Office 365, some information about them gets

Some email information is stored in logs and is available for administrative purposes. No matter if users delete or purge messages, the administrator is able to view basic information about The administrator will be able to see sent and received emails even though the user has deleted or purged them.

Data source description

...

Data source

...

Message Reports

...

Description

...

Reports for every email sent and received through the Exchange Online organization

...

API endpoint

...

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace

...

Collector service name

...

office365_exchange_message_service

...

Devo data table

...

cloud.office365.messagetracing

Vendor setup

In order to configure the integration between Devo and Office 365 Exchange Message Tracing, you need to create an Office 365 user that will be used to authenticate API requests.

The account must have administrative permissions in the Office 365 organization. If the account can view reports in the Office 365 control panel, then the account has permission to retrieve the data from the REST web service. This API requires the user to be assigned to the View-Only Recipients role.

In the default Office 365 permissions structure, users with the following administrator permissions can access this report: billing administrator, global administrator, password administrator, service administrator, and user management administrator.

Learn more about this in the product documentation.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

...

Rw tab

title	Cloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Rw tab

title	On-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the Office 365 Exchange Message Tracing collector:

Code Block

<any_directory>
└── devo-collectors/
    └── devo-collector-office365tracing/
          ├── certs/
          │ ├── chain.crt
          │ ├── <your_domain>.key
          │ └── <your_domain>.crt
          └── config/
              └── config-office365tracing.yaml

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in devo-collectors-office365tracing/certs/. Learn more about security credentials in Devo here.

...

Editing the config.yaml file

Code Block

globals:
  debug: true
  id: <collector_id>
  name: <collector_name>
  persistence:
    type: filesystem
    config:
      directory_name: state
  multiprocessing: <multiprocessing_mode>

outputs:
  devo_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  office365_exchange_message:
    id: <input_id>
    enabled: <input_status>
    requests_per_second: <request_per_seconds>
    credentials:
      username: <creds_username>
      password: <creds_password>
    services:
      office365_exchange_message_service:
        request_period_in_seconds: <period_in_seconds>
        reset_persistence_auth: <reset_persistence_auth>
        override_time_delay_in_hours: <delay_in_hours>

Replace these placeholders with the required values:

...

Parameter

...

Data type

...

Type

...

Value range

...

Details

...

cert_filename

...

str

...

Mandatory

...

Minimum length: 4
Maximum length: 20

...

Use this param to identify the file.cert downloaded from your Devo domain.

...

chain_filename

...

str

...

Mandatory

...

Minimum length: 4
Maximum length: 20

...

Use this param to identify the certificate file downloaded from your Devo domain. Usually, this file's name is chain.crt

...

collector_id

...

int

...

Mandatory

...

Minimum length: 1
Maximum length: 5

...

Use this param to give a unique ID to this collector.

...

collector_name

...

str

...

Mandatory

...

Minimum length: 1
Maximum length: 10

...

Use this param to give a valid name to this collector.

...

creds_password

...

str

...

Mandatory

...

Any

...

Password to authenticate to the service.

...

creds_username

...

str

...

Mandatory

...

Email format: username@domain.com

...

Username to authenticate to the service.

...

delay_in_hours

...

int

...

Optional

...

Minimum value: 1
Maximum value: 48

...

Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25-hour delay. This parameter allows you to customize this delay.

A value less than 25 hours could cause the loss of events in large infrastructures.

This parameter can be left blank, removed, or commented.

...

devo_address

...

str

...

Mandatory

...

collector-us.devo.io
collector-eu.devo.io

...

Use this param to identify the Devo Cloud where the events will be sent.

...

input_id

...

int

...

Mandatory

...

Minimum length: 1
Maximum length: 5

...

Use this param to give a unique ID to this input service.

...

input_status

...

bool

...

Mandatory

...

false / true

...

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

...

key_filename

...

str

...

Mandatory

...

Minimum length: 4
Maximum length: 20

...

Use this param to identify the file.key downloaded from your Devo domain.

...

period_in_seconds

...

int

...

Optional

...

Minimum length: 1

...

By default, this service will run every 60 seconds. This parameter allows you to customize this behavior.

This parameter can be left blank, removed, or commented.

...

requests_per_second

...

int

...

Optional

...

Minimum value: 1

...

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec

This parameter can be left blank, removed, or commented.

...

reset_persistence_auth

...

int

...

Optional

...

Date format: YYYY-MM-DD

...

This parameter allows you to clear the persistence of the collector and restart the download pipeline.

Updating this value will produce the loss of all persisted data and current pipelines.

This parameter can be left blank, removed, or commented.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

...

Collector Docker image

...

SHA-256 hash

...

collector-office365tracing-docker-image-1.3.0.tgz

...

77414d74493a34a45ef37afcb098a8f56ab26e8577978cf3d2086901aa30774b

Code Block
gunzip -c collector-office365tracing-docker-image-<version>.tgz \| docker load

Info
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "`<version>`" with a proper value.

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/office365tracing/

Code Block

docker run \
--name collector-office365tracing\
--volume $PWD/certs:/devo-collector/certs \
--volume $PWD/config:/devo-collector/config \
--volume $PWD/state:/devo-collector/state \
--env CONFIG_FILE=config-office365tracing.yaml \
--rm -it docker.devo.internal/collector/office365tracing:<version>

Note
Replace `<version>` with a proper value.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/office365tracing/ directory.

Code Block

version: '3'
services:
  collector-office365tracing:
    image: docker.devo.com/collector/office365tracing:${IMAGE_VERSION:-latest}
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config-office365tracing.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/office365tracing/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d

Note
Replace `<version>` with a proper value.

API limitations

The following are some API limitations that you must consider:

...

Resource URI

...

GET

...

POST

...

PUT

...

DELETE

...

/auditlogEntryReport

...

2/sec and 1000/hr

...

10/min and 40/hour

...

-

...

2/sec and 1000/hr

...

/auditlogEntryReport/download

...

2/sec and 1000/hr

...

-

...

-

...

With message tracing, you can’t see the content of the messages but you can get very useful information such as:

Sender and recipient.
Send and received dated.
Subject and size of the email.
Status and details of events. There are seven possible values in the delivery status field: delivered, failed, pending, expanded, quarantined, filtered as spam, and unknown.
IP address used to send the message.
Message ID: This is a unique number that identifies the message. If a message is sent to more than one recipient it will display once for every recipient, but all will have the same Message ID.

Note

Message tracking logs

You won’t be able to edit the messages in Office 365 since they are not simple text files. To do that you can use message tracking logs in on-prem Exchange that allow you to edit them directly since they are simple text files.

Devo collector features

Feature	Details
Allow parallel downloading (`multipod`)	`Not allowed`
Running environments	`Collector server` `On-premise`
Populated Devo events	`Table`
Flattening preprocessing	`No`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Message Reports	Reports for every email sent and received through the Exchange Online organization	`https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace`	`office365_exchange_message_service`	`cloud.office365.messagetracing`	`2.0.0`

For more information on how the events are parsed, visit our page.

Anchor

	vendor-setup
	vendor-setup

Vendor setup

There are some minimal requirements to enable this collector:

Microsoft Azure account: The account must be able to register applications and assign roles.
Microsoft Office 365 account: The account must have administrative permissions in the Office 365 organization.

There are some configurations you need to do to enable the collector.

Expand

title	Register the application in Microsoft Azure

Go to Microsoft Azure and log in with your account.
Navigate the App registration blade (you can search for it in the search toolbar).
Click on the + New Registration button.
Give the application a name. If needed change the Supported account types.
Click the Register button.

Expand

title	Obtain the client credentials

On the Overview page, search for your application in the list.
Under the Essentials section, copy the Application (client) ID and Directory (tenant) ID values.
On the left side menu, navigate to the Certificates & secrets page.
Click on + New client secret button.
Set a description and an expiration for the secret.
Click on the Add button.
Copy its Value field.

Expand

title	Grant the required API permissions

On the left side panel of your previously registered application, navigate to the API permissions page.
Click the + Add a permission button.
On the right side modal, navigate the APIs my organization uses tab.
Select Office 365 Exchange Online entry from the list - you can use the search bar tool to find it -.
Click the Application permissions button.
Under the ReportingWebService section, mark the ReportingWebService.Read.All permission.
Click the Add permissions button.
Click ✓ Grant admin consent for {your_domain} button and then on the Yes button on the appeared modal.
To verify that the permission was correctly added, execute the following cURL command replacing (or assigning) the $CLIENT_ID, $CLIENT_SECRET, and $TENANT_ID shell variables with the credentials you obtained in the previous instructions:
Code Block
$ curl -d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&resource=https://outlook.office365.com" -X POST https://login.windows.net/$TENANTID/oauth2/token
A JSON response will be received containing an "access_token" field. By copying its value and pasting it on the jwt.ms: Welcome! web page, the token will appear decoded. Inside, there must be a "roles" field whose value is an array containing the ReportingWebService.Read.All permission. Otherwise, the permissions have not been correctly added.

Expand

title	Add the required role for the application

Navigate the Azure Active Directory blade (you can search for it in the search bar on the top).
On the left-side menu, navigate to the Roles and administrators page.
In the list, search for either the Global Reader or Security Reader role (both are valid) and click on it to select it.
Click the + Add assignments button.
On the right-side modal, use the search bar to find the application you created. Search by either its name (make sure you write the whole name, not only parts of it) or its Client ID in case you cannot find it. Once it appears on the list, select it.
Click the Add button.
To verify that the role has been correctly assigned, execute the following cURL command replacing (or assigning) the $REPORTING_TOKEN shell variable with the token you obtained in the previous instructions:
Code Block
$ curl -i -H "Authorization: Bearer $REPORTING_TOKEN" https://reports.office365.com/ecp/ReportingWebService/Reporting.svc
This response will include the HTTP Response code and headers (note the -i parameter). You should expect to get an HTTP 200 OK response with an XML containing at least the <atom:title>MessageTrace</atom:title> tag. Other responses will be incorrect; here are some examples and their explanation:
1. 401 - Unauthorized: Access is denied due to invalid credentials.: your token is either invalid or outdated. Review the previous instructions to obtain a working token.
2. No permission to access the report for the organization.: The role has not been properly assigned. Review these instructions to do it.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

Info
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details
`tenant_id`	This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.
`client_id`	This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.
`client_secret`	This is the created secret’s Value field you copied during the Obtain the client credentials step from the Vendor setup section.

Info
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

Username

Password

Tenant ID

Client ID

Client Secret

Modern OAuth2 Auth

Status

colour	Green
title	REQUIRED

Status

colour	Green
title	REQUIRED

Status

colour	Green
title	REQUIRED

Basic User/Password Auth

Status

colour	Red
title	DEPRECATED

Status

colour	Red
title	DEPRECATED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro

Rw tab

title	On-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block

<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml

Note
Replace `<product_name>` with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Image Added

Note
Replace `<product_name>` with the proper value.

Editing the config.yaml file

Code Block

globals:
  debug: <enable_debug_logs>
  id: not_used
  name: o365_emt_collector
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: collector-us.devo.io
#      address: collector-eu.devo.io
      port: 443
      type: SSL
      chain: chain.crt
      cert: <devo_domain>.crt
      key: <devo_domain>.key
inputs:
  office365_exchange_message:
    id: <short_unique_id>
    enabled: <input_status>
    requests_per_second: <requests_per_second_value>
    max_historic_date_cutoff_days_back: <max_historic_date_cutoff_days_back_value>
    max_historic_date_margin_seconds: <max_historic_date_margin_seconds_value>
    credentials:
      tenant_id: <tenant_id_value>
      client_id: <client_id_value>
      client_secret: <client_secret_value>
    services:
      office365_exchange_message_service:
        request_period_in_seconds: <request_period_in_seconds_value>
        reset_persistence_auth: <reset_persistence_auth_value>
        override_time_delay_in_seconds: <override_time_delay_in_seconds_value>

Info
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the `services` object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

<enable_debug_logs>

bool

Mandatory

false / true

This will make the collector generate (or not) log messages with the DEBUG level.

<short_unique_id>

int

Mandatory

YMMDD

Use this param to give a unique id to this input service.

Note
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

<requests_per_second_value>

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.

Info
This parameter should be removed if it is not used.

<max_historic_date_cutoff_days_back_value>

int

Optional

Minimum value: 1

Maximum value: 1,000,000

When the collector is initially run, it will perform a historical pulling from the current date minus the value of this parameter. The default value is 10 (the API does not allow querying more than 10 days back).

Info
This parameter should be removed if it is not used.

<max_historic_date_margin_seconds_value>

int

Optional

Minimum value: 1

Maximum value: 86,400,000,000

It happens that between when this date is calculated and when it is used, the difference might be larger than 10 days, so the request will fail. To avoid it, we establish a margin that can be configured using this parameter. Its default value is 60.

Info
This parameter should be removed if it is not used.

<tenant_id_value>

str

Mandatory

Minimum length: 1

This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.

<client_id_value>

str

Mandatory

Minimum length: 1

This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.

<client_secret_value>

str

Mandatory

Minimum length: 1

This is the created secret’s Value field you copied during the Obtain the client credentials step from the Vendor setup section.

<request_period_in_seconds_value>

int

Optional

Minimum value: 1

The amount (in seconds) in which the service’s collection is scheduled.

Info
This parameter should be removed if it is not used.

<reset_persistence_auth_value>

str

Optional

Date format: YYYY-MM-DD

This parameter allows you to clear the persistence of the collector and restart the download pipeline.

Note
Updating this value will produce the lost of all persisted data and current pipelines.

Info
This parameter should be removed if it is not used.

<override_delay_in_seconds_value>

int

Optional

Minimum value: 1
Maximum value: 172,800

Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hour delay. This parameter allows you to customize this delay.

Note
A value less than 25 hours could cause the loss of events in large infrastructures.

Info
This parameter should be removed if it is not used.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image	SHA-256 hash
collector-office365_exchange_message_tracing-2.0.0	`1031d89a3e6febe88dbdf3abf11c46e6e99aa9504848173b83ebcbdc97669671`

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz \| docker load

Note
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace `<image_file>` and `<version>` with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block

docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block

version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Rw tab

title	Cloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Expand

title	Verify data collection

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Code Block

INFO InputProcess::MainThread -> Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Starting thread
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Puller Setup started
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> We do not have a token. Getting a new one from the server.
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Attempting to get OAuth2 token from O365 Message Tracing server....
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Successfully received JWT token from https://login.microsoftonline.com/{your-tenant-id}/oauth2/token which expires in 3599 seconds
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Puller Setup terminated
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Setup for module <Office365ExchangeMessageTracePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Info
Note that the `PrePull` action is executed only one time before the first run of the `Pull` action.

Code Block

   INFO InputProcess::MainThread -> Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread
WARNING InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Waiting until setup will be executed
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Due to remote API requirements, this collector cannot request data less than <90000> seconds or older than 11 days
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Retrieved state from the persistence -> None
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> No saved state found, applying values by default
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Validating the start and end time based on the maximum threshold (-11 days): 2022-12-11T14:17:16.229112
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> The persistence has been modified. Saving state as {'start_time': '2022-12-20T12:02:16.228314', 'buffer': [], 'end_time': None, 'dynamic_buffer': [], 'dynamic_buffer_received': None, 'next_link': None, 'requests_made': 0, 'events_retrieved_count': 0, 'reset_persistence_auth': None, 'filtered_events': 0, 'time_delay_in_seconds': 90000}
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Starting data collection every 60 seconds
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Pull started
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Running a new pipeline (2022-12-20T12:02:16.228314 - 2022-12-20T12:17:16.228314)
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Requesting data. URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'2022-12-20T12:02:16.228314Z' and EndDate eq datetime'2022-12-20T12:17:16.228314Z'
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> 0 Events retrieved from the last API call.
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> No events detected. Pull Summary: 1 request(s) made, 0 event(s) filtered, 0 event(s) sent to Devo. Using tag: cloud.office365.messagetracing. Period from 2022-12-20T12:02:16.228314 to 2022-12-20T12:17:16.228314
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Savepoint reached: Updating persistence with -> {'start_time': '2022-12-20T12:17:16.228314', 'buffer': [], 'end_time': None, 'dynamic_buffer': [], 'dynamic_buffer_received': None, 'next_link': None, 'requests_made': 0, 'events_retrieved_count': 0, 'reset_persistence_auth': None, 'filtered_events': 0, 'time_delay_in_seconds': 90000}
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> A new pipeline has been completed
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Remote data is up to date!
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Data collection completed. Elapsed time: 2.923 seconds. Waiting for 57.077 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

Code Block

INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Data collection completed. Elapsed time: 2.923 seconds. Waiting for 57.077 second(s) until the next one

Info
The value `@devo_pulling_id` is injected in each event to group all events ingested by the same pull action. You can use it to get the exact events downloaded in that `Pull` action in Devo’s search window.

Expand

title	Restart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the reset_persistence_auth parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note
Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

Expand

title	Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type	Error ID	Error message	Cause	Solution
SetupError	100	`Authentication failed: [...]`	When asking for a token, we received an Unauthorized (401) HTTP response code.	The error details will be provided in the error message, but make sure you registered App has the right API permissions and the corect role assigned.
	101	`Unexpected status code when fetching Office365ExchangeMessageTrace JWT: [...]`	When asking for a token, we received an unsuccesful response.	The error details will be provided in the error message.
	102	`Error occurred while accessing the access_token: [...]`	An unexpected error occurred.	The error details will be provided in the error message.
InitVariablesError	0	`module_properties section does not exist on the configuration file or is empty. Contact Devo.`	This is an internal error.	Reach Devo Support.
	0	`credentials section does not exist on the configuration file or is empty`	The `credentials` section is missing from the config	Make sure it exists.
	1	`module_properties section is not a valid <dict> object. Contact Devo.`	This is an internal error.	Reach Devo Support.
	1	`credentials section is not a valid <dict> object`	The `credentials` section does not have any settings.	Make sure it has the required properties.
	2	`base_auth_url doesn't exist on the configuration file or is empty`	The `base_auth_url` is missing.	Make sure it exists and has a correct value.
	2	`base_resource_url doesn't exist on the configuration file or is empty`	The `base_resource_url` is missing.	Make sure it exists and has a correct value.
	2	`tenant_id doesn't exist on the configuration file or is empty`	The `tenant_id` is missing.	Make sure it exists and has a correct value.
	3	`base_auth_url must be an string`	The `base_auth_url` paramater has a type other than string.	Make sure it is a string and has a correct value.
	3	`base_resource_url must be an string`	The `base_resource_url` paramater has a type other than string.	Make sure it is a string and has a correct value.
	3	`tenant_id must be an string`	The `tenant_id` paramater has a type other than string.	Make sure it is a string and has a correct value.
	4	`client_id doesn't exist on the configuration file or is empty`	The `client_id` is missing.	Make sure it exists and has a correct value.
	4	`client_secret doesn't exist on the configuration file or is empty`	The `client_secret` is missing.	Make sure it exists and has a correct value.
	5	`client_id must be an string`	The `client_id` paramater has a type other than string.	Make sure it is a string and has a correct value.
	5	`client_secret must be an string`	The `client_secret` paramater has a type other than string.	Make sure it is a string and has a correct value.
	6	`base_tag doesn't exist on the configuration file or is empty`	The `base_tag` is missing.	Make sure it exists and has a correct value.
	7	`base_tag must be an string`	The `base_tag` paramater has a type other than string.	Make sure it is a string and has a correct value.
	8	`base_url doesn't exist on the configuration file or is empty`	The `base_url` is missing.	Make sure it exists and has a correct value.
	9	`base_url must be an string`	The `base_url` paramater has a type other than string.	Make sure it is a string and has a correct value.
	10	`time_delay_in_seconds doesn't exist on the configuration file or is empty`	The `time_delay_in_seconds` is missing.	Make sure it exists and has a correct value.
	11	`time_delay_in_seconds must be an string`	The `time_delay_in_seconds` paramater has a type other than string.	Make sure it is a string and has a correct value.
	12	`requests_timeout_in_seconds doesn't exist on the configuration file or is empty`	The `requests_timeout_in_seconds` is missing.	Make sure it exists and has a correct value.
	13	`requests_timeout_in_seconds is not a float instance`	The `requests_timeout_in_seconds` paramater has a type other than float.	Make sure it is a float and has a correct value.
	14	`requests_retries_before_error_in_units doesn't exist on the configuration file or is empty`	The `requests_retries_before_error_in_units` is missing.	Make sure it exists and has a correct value.
	15	`requests_retries_before_error_in_units is not an int instance`	The `requests_retries_before_error_in_units` paramater has a type other than int.	Make sure it is a int and has a correct value.
	16	`requests_wait_time_between_retries_in_seconds doesn't exist on the configuration file or is empty`	The `requests_wait_time_between_retries_in_seconds` is missing.	Make sure it exists and has a correct value.
	17	`requests_wait_time_between_retries_in_seconds is not an int instance`	The `requests_wait_time_between_retries_in_seconds` paramater has a type other than int.	Make sure it is a int and has a correct value.
	18	`Optional setting: <reset_persistence_auth> not of expected type: str`	The `time_delay_in_seconds` paramater has a type other than string.	Make sure it is a string and has a correct value.
	19	`Optional setting: <override_time_delay_in_seconds> not of expected type: int`	The `time_delay_in_seconds` paramater has a type other than integer.	Make sure it is an integer and has a correct value.
	20	`Optional setting: <override_time_delay_in_seconds> is out of range (1 to 90000)`	The `time_delay_in_seconds` paramater is out of the mentioned range.	Make sure it is inside the indicated range.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Expand

title	Verify collector operations

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Code Block

INFO MainProcess::MainThread -> {"build_time": "UNKNOWN", "os_info": "macOS-12.6.1-x86_64-i386-64bit", "collector_name": "o365_emt_collector", "collector_version": "2.0.0", "collector_owner": "integrations_factory@devo.com", "started_at": "2022-12-21T13:17:14.405816Z"}
INFO MainProcess::MainThread -> (CollectorMultiprocessingQueue) standard_queue_multiprocessing -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
INFO MainProcess::MainThread -> [OUTPUT] OutputMultiprocessingController::__init__ Configuration -> {[...]}
INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=300s)
INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=300s)
INFO InputProcess::MainThread -> InputThread(office365_exchange_message,<short_unique_id>) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> ServiceThread(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Starting thread
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Code Block

INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Sender: SyslogSender(standard_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Standard - Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 44 (elapsed 0.007 seconds)
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Sender: SyslogSender(internal_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Internal - Total number of messages sent: 1, messages sent since "2022-06-28 10:39:22.516313+00:00": 1 (elapsed 0.019 seconds)

Info
By default, these information traces will be displayed every 10 minutes.

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description
`internal_senders`	In charge of delivering internal metrics to Devo such as logging traces or metrics.
`standard_senders`	In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Info
This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

Info
By default these traces will be shown every 10 minutes.

Expand

title	Check memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Code Block

INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Info

Differences between RSS and VMS memory usage:

RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using

Expand

title	Enable/disable the logging debug mode

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.
To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Change log for v1.x.x

Release

Released on

Release type

Details

Recommendations

v2.0.0

23 Dec 2022

Status

colour	Purple
title	NEW FEATURE

Status

colour	Green
title	IMPROVEMENT

New features:

New OAuth2 authentication method; basic authentication deprecated.
New max_historic_date_cutoff_days_back and max_historic_date_margins_second parameters to customize historic pulling.

Improvements:

Puller setup is now handled in its own class.

Recommended version

Version	Old Version 4	New Version 5
Changes made by	Former user	Former user
Saved on	Dec 27, 2022	Dec 28, 2022

Versions Compared

Key

Service description

Configuration requirements

Overview

Data source description

Vendor setup

Run the collector

Structure

Devo credentials

Editing the config.yaml file

Download the Docker image

Docker

Docker Compose

API limitations

Devo collector features

Data sources

Vendor setup

Minimum configuration required for basic pulling

Accepted authentication methods

Run the collector

Structure

Devo credentials

Editing the config.yaml file

Download the Docker image

Docker

Docker Compose

Collector services detail

Events service

Setup output

Puller output

Collector operations

Initialization

Events delivery and Devo ingestion

Sender services

Sender statistics

Change log for v1.x.x