Versions Compared

Old Version 14

changes.mady.by.user Former user

Saved on

compared with

New Version 15

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
typeflat

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

...

Configuration

...

Details

...

Microsot Azure account

...

It is a requirement to have an account so you can run this collector.

...

Microsoft 365 account

...

It is a requirement to have an account so you can run this collector.

Info

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

...

Overview

Microsoft 365 is a widely adopted productivity suite from Microsoft. The suite includes Microsoft Exchange Online collaboration service for email, calendars, contacts, and tasks. Message tracing is one of the basic tools used by administrators to monitor email flow.

...

Note

Message tracking logs

You won’t be able to edit the messages in Office 365 since they are not simple text files. To do that you can use message tracking logs in on-prem Exchange that allow you to edit them directly since they are simple text files.

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration

Details

Microsot Azure account

It is a requirement to have an account so you can run this collector.

Microsoft 365 account

It is a requirement to have an account so you can run this collector.

Info

More information

Refer to the Vendor setup section to know more about these configurations.

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

Not allowed

Running environments

Collector server

On-premise

Populated Devo events

Table

Flattening preprocessing

No

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Message Reports

Reports for every email sent and received through the Exchange Online organization

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace

office365_exchange_message_service

cloud.office365.messagetracing

2.0.0

...

Anchor
vendor-setup
vendor-setup

Vendor setup

There are some minimal requirements to enable this collector:

...

Expand
titleAdd the required role for the application

  1. Navigate the Azure Active Directory blade (you can search for it in the search bar on the top).

  2. On the left-side menu, navigate to the Roles and administrators page.

  3. In the list, search for the Global Reader and click on it to select it.

  4. Click the + Add assignments button.

  5. On the right-side modal, use the search bar to find the application you created. Search by either its name (make sure you write the whole name, not only parts of it) or its Client ID in case you cannot find it. Once it appears on the list, select it.

  6. Click the Add button.

  7. To verify that the role has been correctly assigned, execute the following cURL command replacing (or assigning) the $REPORTING_TOKEN shell variable with the token you obtained in the previous instructions:

    Code Block
    $ curl -i -H "Authorization: Bearer $REPORTING_TOKEN" https://reports.office365.com/ecp/ReportingWebService/Reporting.svc

    This response will include the HTTP Response code and headers (note the -i parameter). You should expect to get an HTTP 200 OK response with an XML containing at least the <atom:title>MessageTrace</atom:title> tag. Other responses will be incorrect; here are some examples and their explanation:

    1. 401 - Unauthorized: Access is denied due to invalid credentials.: your token is either invalid or outdated. Review the previous instructions to obtain a working token.

    2. No permission to access the report for the organization.: The role has not been properly assigned. Review these instructions to do it.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

...

Info

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

Username

Password

Tenant ID

Client ID

Client Secret

Modern OAuth2 Auth

 

 

Status
colourGreen
titleREQUIRED

Status
colourGreen
titleREQUIRED

Status
colourGreen
titleREQUIRED

Basic User/Password Auth

Status
colourRed
titleDEPRECATED

Status
colourRed
titleDEPRECATED

 

 

 

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro
Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: <enable_debug_logs>
  id: not_used
  name: o365_emt_collector
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: collector-us.devo.io
#      address: collector-eu.devo.io
      port: 443
      type: SSL
      chain: chain.crt
      cert: <devo_domain>.crt
      key: <devo_domain>.key
inputs:
  office365_exchange_message:
    id: <short_unique_id>
    enabled: <input_status>
    requests_per_second: <requests_per_second_value>
    max_historic_date_cutoff_days_back: <max_historic_date_cutoff_days_back_value>
    max_historic_date_margin_seconds: <max_historic_date_margin_seconds_value>
    credentials:
      tenant_id: <tenant_id_value>
      client_id: <client_id_value>
      client_secret: <client_secret_value>
    services:
      office365_exchange_message_service:
        request_period_in_seconds: <request_period_in_seconds_value>
        reset_persistence_auth: <reset_persistence_auth_value>
        override_time_delay_in_seconds: <override_time_delay_in_seconds_value>
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

<enable_debug_logs>

bool

Mandatory

false / true

This will make the collector generate (or not) log messages with the DEBUG level.

<short_unique_id>

int

Mandatory

YMMDD

Use this param to give a unique id to this input service.

Note

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

<requests_per_second_value>

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.

Info

This parameter should be removed if it is not used.

<max_historic_date_cutoff_days_back_value>

int

Optional

Minimum value: 1

Maximum value: 1,000,000

When the collector is initially run, it will perform a historical pulling from the current date minus the value of this parameter. The default value is 10 (the API does not allow querying more than 10 days back).

Info

This parameter should be removed if it is not used.

<max_historic_date_margin_seconds_value>

int

Optional

Minimum value: 1

Maximum value: 86,400,000,000

It happens that between when this date is calculated and when it is used, the difference might be larger than 10 days, so the request will fail. To avoid it, we establish a margin that can be configured using this parameter. Its default value is 60.

Info

This parameter should be removed if it is not used.

<tenant_id_value>

str

Mandatory

Minimum length: 1

This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.

<client_id_value>

str

Mandatory

Minimum length: 1

This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.

<client_secret_value>

str

Mandatory

Minimum length: 1

This is the created secret’s Value field you copied during the Obtain the client credentials step from the Vendor setup section.

<request_period_in_seconds_value>

int

Optional

Minimum value: 1

The amount (in seconds) in which the service’s collection is scheduled.

Info

This parameter should be removed if it is not used.

<reset_persistence_auth_value>

str

Optional

Date format: YYYY-MM-DD

This parameter allows you to clear the persistence of the collector and restart the download pipeline.

Note

Updating this value will produce the lost of all persisted data and current pipelines.

Info

This parameter should be removed if it is not used.

<override_delay_in_seconds_value>

int

Optional

Minimum value: 1
Maximum value: 172,800

Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hour delay. This parameter allows you to customize this delay.

Note

A value less than 25 hours could cause the loss of events in large infrastructures.

Info

This parameter should be removed if it is not used.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-office365_exchange_message_tracing-2.1.1

7344e30169c1c438a5a9b431a4c37733d5104d9abe01ef4d6061640938630b17

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

  1. In the Collector Server GUI, access the domain in which you want this instance to be created

  2. Click Add Collector and find the one you wish to add.

  3. In the Version field, select the latest value.

  4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.

  6. In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

Code Block
{
   "global_overrides": {
      "debug": <enable_debug_logs>
   },
   "inputs": {
      "office365_exchange_message": {
         "id": <short_unique_id>,
         "enabled": <input_status>,
         "requests_per_second": <requests_per_second_value>,
         "max_historic_date_cutoff_days_back": "<max_historic_date_cutoff_days_back_value>",
         "max_historic_date_margin_seconds": "<max_historic_date_margin_seconds_value>",
         "credentials": {
            "tenant_id": "<tenant_id_value>",
            "client_id": "<client_id_value>",
            "client_secret": "<client_secret_value>"
         },
         "services": {
            "office365_exchange_message_service": {
               "request_period_in_seconds": <request_period_in_seconds_value>,
               "reset_persistence_auth": "<reset_persistence_auth_value>",
               "override_time_delay_in_seconds": <override_time_delay_in_seconds_value>
            }
         }
      }
   }
}
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Please replace the placeholders with real world values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

<enable_debug_logs>

bool

Mandatory

false / true

This will make the collector generate (or not) log messages with the DEBUG level.

<short_unique_id>

int

Mandatory

YMMDD

Use this param to give a unique id to this input service.

Note

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

<requests_per_second_value>

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.

Info

This parameter should be removed if it is not used.

<max_historic_date_cutoff_days_back_value>

int

Optional

Minimum value: 1

Maximum value: 1,000,000

When the collector is initially run, it will perform a historical pulling from the current date minus the value of this parameter. The default value is 10 (the API does not allow querying more than 10 days back).

Info

This parameter should be removed if it is not used.

<max_historic_date_margin_seconds_value>

int

Optional

Minimum value: 1

Maximum value: 86,400,000,000

It happens that between when this date is calculated and when it is used, the difference might be larger than 10 days, so the request will fail. To avoid it, we establish a margin that can be configured using this parameter. Its default value is 60.

Info

This parameter should be removed if it is not used.

<tenant_id_value>

str

Mandatory

Minimum length: 1

This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.

<client_id_value>

str

Mandatory

Minimum length: 1

This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.

<client_secret_value>

str

Mandatory

Minimum length: 1

This is the created secret’s Value field you copied during the Obtain the client credentials step from the Vendor setup section.

<request_period_in_seconds_value>

int

Optional

Minimum value: 1

The amount (in seconds) in which the service’s collection is scheduled.

Info

This parameter should be removed if it is not used.

<reset_persistence_auth_value>

str

Optional

Date format: YYYY-MM-DD

This parameter allows you to clear the persistence of the collector and restart the download pipeline.

Note

Updating this value will produce the lost of all persisted data and current pipelines.

Info

This parameter should be removed if it is not used.

<override_delay_in_seconds_value>

int

Optional

Minimum value: 1
Maximum value: 172,800

Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hour delay. This parameter allows you to customize this delay.

Note

A value less than 25 hours could cause the loss of events in large infrastructures.

Info

This parameter should be removed if it is not used.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Expand
titleVerify data collection

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Code Block
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Starting thread
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Puller Setup started
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> We do not have a token. Getting a new one from the server.
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Attempting to get OAuth2 token from O365 Message Tracing server....
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Successfully received JWT token from https://login.microsoftonline.com/{your-tenant-id}/oauth2/token which expires in 3599 seconds
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Puller Setup terminated
INFO InputProcess::Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Setup for module <Office365ExchangeMessageTracePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Info

Note that the PrePull action is executed only one time before the first run of the Pull action.

Code Block
   INFO InputProcess::MainThread -> Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread
WARNING InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Waiting until setup will be executed
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Due to remote API requirements, this collector cannot request data less than <90000> seconds or older than 11 days
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Retrieved state from the persistence -> None
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> No saved state found, applying values by default
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Validating the start and end time based on the maximum threshold (-11 days): 2022-12-11T14:17:16.229112
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> The persistence has been modified. Saving state as {'start_time': '2022-12-20T12:02:16.228314', 'buffer': [], 'end_time': None, 'dynamic_buffer': [], 'dynamic_buffer_received': None, 'next_link': None, 'requests_made': 0, 'events_retrieved_count': 0, 'reset_persistence_auth': None, 'filtered_events': 0, 'time_delay_in_seconds': 90000}
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Starting data collection every 60 seconds
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Pull started
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Running a new pipeline (2022-12-20T12:02:16.228314 - 2022-12-20T12:17:16.228314)
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Requesting data. URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'2022-12-20T12:02:16.228314Z' and EndDate eq datetime'2022-12-20T12:17:16.228314Z'
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> 0 Events retrieved from the last API call.
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> No events detected. Pull Summary: 1 request(s) made, 0 event(s) filtered, 0 event(s) sent to Devo. Using tag: cloud.office365.messagetracing. Period from 2022-12-20T12:02:16.228314 to 2022-12-20T12:17:16.228314
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Savepoint reached: Updating persistence with -> {'start_time': '2022-12-20T12:17:16.228314', 'buffer': [], 'end_time': None, 'dynamic_buffer': [], 'dynamic_buffer_received': None, 'next_link': None, 'requests_made': 0, 'events_retrieved_count': 0, 'reset_persistence_auth': None, 'filtered_events': 0, 'time_delay_in_seconds': 90000}
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> A new pipeline has been completed
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Remote data is up to date!
   INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Data collection completed. Elapsed time: 2.923 seconds. Waiting for 57.077 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

Code Block
INFO InputProcess::Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) -> Data collection completed. Elapsed time: 2.923 seconds. Waiting for 57.077 second(s) until the next one
Info

The value @devo_pulling_id is injected in each event to group all events ingested by the same pull action. You can use it to get the exact events downloaded in that Pull action in Devo’s search window.

...

Expand
titleTroubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

SetupError

100

Authentication failed: [...]

When asking for a token, we received an Unauthorized (401) HTTP response code.

The error details will be provided in the error message, but make sure you registered App has the right API permissions and the corect role assigned.

101

Unexpected status code when fetching Office365ExchangeMessageTrace JWT: [...]

When asking for a token, we received an unsuccesful response.

The error details will be provided in the error message.

102

Error occurred while accessing the access_token: [...]

An unexpected error occurred.

The error details will be provided in the error message.

InitVariablesError

0

module_properties section does not exist on the configuration file or is empty. Contact Devo.

This is an internal error.

Reach Devo Support.

0

credentials section does not exist on the configuration file or is empty

The credentials section is missing from the config

Make sure it exists.

1

module_properties section is not a valid <dict> object. Contact Devo.

This is an internal error.

Reach Devo Support.

 

1

credentials section is not a valid <dict> object

The credentials section does not have any settings.

Make sure it has the required properties.

 

2

base_auth_url doesn't exist on the configuration file or is empty

The base_auth_url is missing.

Make sure it exists and has a correct value.

 

2

base_resource_url doesn't exist on the configuration file or is empty

The base_resource_url is missing.

Make sure it exists and has a correct value.

 

2

tenant_id doesn't exist on the configuration file or is empty

The tenant_id is missing.

Make sure it exists and has a correct value.

 

3

base_auth_url must be an string

The base_auth_url paramater has a type other than string.

Make sure it is a string and has a correct value.

 

3

base_resource_url must be an string

The base_resource_url paramater has a type other than string.

Make sure it is a string and has a correct value.

 

3

tenant_id must be an string

The tenant_id paramater has a type other than string.

Make sure it is a string and has a correct value.

 

4

client_id doesn't exist on the configuration file or is empty

The client_id is missing.

Make sure it exists and has a correct value.

 

4

client_secret doesn't exist on the configuration file or is empty

The client_secret is missing.

Make sure it exists and has a correct value.

 

5

client_id must be an string

The client_id paramater has a type other than string.

Make sure it is a string and has a correct value.

 

5

client_secret must be an string

The client_secret paramater has a type other than string.

Make sure it is a string and has a correct value.

 

6

base_tag doesn't exist on the configuration file or is empty

The base_tag is missing.

Make sure it exists and has a correct value.

 

7

base_tag must be an string

The base_tag paramater has a type other than string.

Make sure it is a string and has a correct value.

 

8

base_url doesn't exist on the configuration file or is empty

The base_url is missing.

Make sure it exists and has a correct value.

 

9

base_url must be an string

The base_url paramater has a type other than string.

Make sure it is a string and has a correct value.

 

10

time_delay_in_seconds doesn't exist on the configuration file or is empty

The time_delay_in_seconds is missing.

Make sure it exists and has a correct value.

 

11

time_delay_in_seconds must be an string

The time_delay_in_seconds paramater has a type other than string.

Make sure it is a string and has a correct value.

 

12

requests_timeout_in_seconds doesn't exist on the configuration file or is empty

The requests_timeout_in_seconds is missing.

Make sure it exists and has a correct value.

 

13

requests_timeout_in_seconds is not a float instance

The requests_timeout_in_seconds paramater has a type other than float.

Make sure it is a float and has a correct value.

 

14

requests_retries_before_error_in_units doesn't exist on the configuration file or is empty

The requests_retries_before_error_in_units is missing.

Make sure it exists and has a correct value.

 

15

requests_retries_before_error_in_units is not an int instance

The requests_retries_before_error_in_units paramater has a type other than int.

Make sure it is a int and has a correct value.

 

16

requests_wait_time_between_retries_in_seconds doesn't exist on the configuration file or is empty

The requests_wait_time_between_retries_in_seconds is missing.

Make sure it exists and has a correct value.

 

17

requests_wait_time_between_retries_in_seconds is not an int instance

The requests_wait_time_between_retries_in_seconds paramater has a type other than int.

Make sure it is a int and has a correct value.

 

18

Optional setting: <reset_persistence_auth> not of expected type: str

The time_delay_in_seconds paramater has a type other than string.

Make sure it is a string and has a correct value.

 

19

Optional setting: <override_time_delay_in_seconds> not of expected type: int

The time_delay_in_seconds paramater has a type other than integer.

Make sure it is an integer and has a correct value.

 

20

Optional setting: <override_time_delay_in_seconds> is out of range (1 to 90000)

The time_delay_in_seconds paramater is out of the mentioned range.

Make sure it is inside the indicated range.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Expand
titleVerify collector operations

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Code Block
INFO MainProcess::MainThread -> {"build_time": "UNKNOWN", "os_info": "macOS-12.6.1-x86_64-i386-64bit", "collector_name": "o365_emt_collector", "collector_version": "2.0.0", "collector_owner": "integrations_factory@devo.com", "started_at": "2022-12-21T13:17:14.405816Z"}
INFO MainProcess::MainThread -> (CollectorMultiprocessingQueue) standard_queue_multiprocessing -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
INFO MainProcess::MainThread -> [OUTPUT] OutputMultiprocessingController::__init__ Configuration -> {[...]}
INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=300s)
INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=300s)
INFO InputProcess::MainThread -> InputThread(office365_exchange_message,<short_unique_id>) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> ServiceThread(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Starting thread
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Code Block
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Sender: SyslogSender(standard_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Standard - Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 44 (elapsed 0.007 seconds)
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Sender: SyslogSender(internal_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Internal - Total number of messages sent: 1, messages sent since "2022-06-28 10:39:22.516313+00:00": 1 (elapsed 0.019 seconds)
Info

By default, these information traces will be displayed every 10 minutes.

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Info

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.007 seconds to be delivered.

Info

By default these traces will be shown every 10 minutes.

...

Expand
titleEnable/disable the logging debug mode

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

  • To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.

  • To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Change log

Release

Released on

Release type

Details

Recommendations

v2.2.0

Status
colourGreen
titleIMPROVEMENT

Improvements:

  1. Upgraded DCSDK from 1.9.0 to 1.9.2

    1. Store lookup instances into DevoSender to avoid creation of new instances for the same lookup

    2. Ensure service_config is a dict into templates

    3. Upgraded some internal dependencies

  2. Updated collector definitions with new rate limits and reverted changes to older version of collector

Recommended version

v2.1.0

Status
colourRed
titleBUG FIXING
Status
colourGreen
titleIMPROVEMENT

Improvements:

  1. Upgraded DCSDK from 1.3.0 to 1.8.0

Bug fixing:

  1. Processing of special characters that the collector was not capable of doing. It has been fixed by adding the processing of non-ascii characters

Update

v2.0.0

Status
colourPurple
titleNEW FEATURE

Status
colourGreen
titleIMPROVEMENT

New features:

  1. New OAuth2 authentication method; basic authentication deprecated.

  2. New max_historic_date_cutoff_days_back and max_historic_date_margins_second parameters to customize historic pulling.

Improvements:

  1. Puller setup is now handled in its own class.

-

...