Give the application a name. If needed change the Supported account types.
Click the Register button.
Expand
title
Obtain the client credentials
On the Overview page, search for your application in the list.
Under the Essentials section, copy the Application (client) ID and Directory (tenant) ID values.
On the left side menu, navigate to the Certificates & secrets page.
Click on + New client secret button.
Set a description and an expiration for the secret.
Click on the Add button.
Copy its Value field.
Expand
title
Grant the required API permissions
On the left side panel of your previously registered application, navigate to the API permissions page.
Click the + Add a permission button.
On the right side modal, navigate the APIs my organization uses tab.
Select Office 365 Exchange Online entry from the list - you can use the search bar tool to find it -.
Click the Application permissions button.
Under the ReportingWebService section, mark the ReportingWebService.Read.All permission.
Click the Add permissions button.
Click ✓ Grant admin consent for {your_domain} button and then on the Yes button on the appeared modal.
To verify that the permission was correctly added, execute the following cURL command replacing (or assigning) the $CLIENT_ID, $CLIENT_SECRET, and $TENANT_ID shell variables with the credentials you obtained in the previous instructions:
Code Block
$ curl -d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&resource=https://outlook.office365.com" -X POST https://login.windows.net/$TENANTID/oauth2/token
A JSON response will be received containing an "access_token" field. By copying its value and pasting it on the jwt.ms: Welcome! web page, the token will appear decoded. Inside, there must be a "roles" field whose value is an array containing the ReportingWebService.Read.All permission. Otherwise, the permissions have not been correctly added.
On the left-side menu, navigate to the Roles and administrators page.
In the list, search for the Global Reader and click on it to select it.
Click the + Add assignments button.
On the right-side modal, use the search bar to find the application you created. Search by either its name (make sure you write the whole name, not only parts of it) or its Client ID in case you cannot find it. Once it appears on the list, select it.
Click the Add button.
To verify that the role has been correctly assigned, execute the following cURL command replacing (or assigning) the $REPORTING_TOKEN shell variable with the token you obtained in the previous instructions:
This response will include the HTTP Response code and headers (note the -i parameter). You should expect to get an HTTP 200 OK response with an XML containing at least the <atom:title>MessageTrace</atom:title> tag. Other responses will be incorrect; here are some examples and their explanation:
401 - Unauthorized: Access is denied due to invalid credentials.: your token is either invalid or outdated. Review the previous instructions to obtain a working token.
No permission to access the report for the organization.: The role has not been properly assigned. Review these instructions to do it.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Info
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
...
Setting
...
Details
...
tenant_id
...
This is the Tenant ID you copied during the Obtain the client credentials step.
...
client_id
...
This is the Application (client) ID you copied during the Obtain the client credentials step.
...
client_secret
...
This is the created secret’s Value field you copied during the Obtain the client credentials step.
Info
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
Accepted authentication methods
...
Authentication method
...
Username
...
Password
...
Tenant ID
...
Client ID
...
Client Secret
...
Modern OAuth2 Auth
...
...
...
Status
colour
Green
title
REQUIRED
...
Status
colour
Green
title
REQUIRED
...
Status
colour
Green
title
REQUIRED
...
Basic User/Password Auth
...
Status
colour
Red
title
DEPRECATED
...
Status
colour
Red
title
DEPRECATED
...
...
...
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
...
Rw tab
title
On-premise collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Replace the placeholders with your required values following the description table below:
...
Parameter
...
Data type
...
Type
...
Value range / Format
...
Details
...
<enable_debug_logs>
...
bool
...
Mandatory
...
false / true
...
This will make the collector generate (or not) log messages with the DEBUG level.
...
<short_unique_id>
...
int
...
Mandatory
...
YMMDD
...
Use this param to give a unique id to this input service.
Note
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.
...
<input_status>
...
bool
...
Mandatory
...
false / true
...
Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.
...
<requests_per_second_value>
...
int
...
Optional
...
Minimum value: 1
...
Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.
Info
This parameter should be removed if it is not used.
...
<max_historic_date_cutoff_days_back_value>
...
int
...
Optional
...
Minimum value: 1
Maximum value: 1,000,000
...
When the collector is initially run, it will perform a historical pulling from the current date minus the value of this parameter. The default value is 10 (the API does not allow querying more than 10 days back).
Info
This parameter should be removed if it is not used.
...
<max_historic_date_margin_seconds_value>
...
int
...
Optional
...
Minimum value: 1
Maximum value: 86,400,000,000
...
It happens that between when this date is calculated and when it is used, the difference might be larger than 10 days, so the request will fail. To avoid it, we establish a margin that can be configured using this parameter. Its default value is 60.
Info
This parameter should be removed if it is not used.
...
<tenant_id_value>
...
str
...
Mandatory
...
Minimum length: 1
...
This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.
...
<client_id_value>
...
str
...
Mandatory
...
Minimum length: 1
...
This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.
...
<client_secret_value>
...
str
...
Mandatory
...
Minimum length: 1
...
This is the created secret’s Value field you copied during the Obtain the client credentials step from the Vendor setup section.
...
<request_period_in_seconds_value>
...
int
...
Optional
...
Minimum value: 1
...
The amount (in seconds) in which the service’s collection is scheduled.
Info
This parameter should be removed if it is not used.
...
<reset_persistence_auth_value>
...
str
...
Optional
...
Date format: YYYY-MM-DD
...
This parameter allows you to clear the persistence of the collector and restart the download pipeline.
Note
Updating this value will produce the lost of all persisted data and current pipelines.
Info
This parameter should be removed if it is not used.
...
<override_delay_in_seconds_value>
...
int
...
Optional
...
Minimum value: 1 Maximum value: 172,800
Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hour delay. This parameter allows you to customize this delay.
Note
A value less than 25 hours could cause the loss of events in large infrastructures.
...
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Info
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
Setting
Details
tenant_id
This is the Tenant ID you copied during the Obtain the client credentials step.
client_id
This is the Application (client) ID you copied during the Obtain the client credentials step.
client_secret
This is the created secret’s Value field you copied during the Obtain the client credentials step.
Info
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
Accepted authentication methods
Authentication method
Details
Modern OAuth2 Auth
You will need your Tenant ID, client ID, and Client Secret.
Vendor setup
There are some minimal requirements to enable this collector:
Microsoft Azure account: The account must be able to register applications and assign roles.
Microsoft Office 365 account: The account must have administrative permissions in the Office 365 organization.
There are some configurations you need to do to enable the collector.
Give the application a name. If needed change the Supported account types.
Click the Register button.
Expand
title
Obtain the client credentials
On the Overview page, search for your application in the list.
Under the Essentials section, copy the Application (client) ID and Directory (tenant) ID values.
On the left side menu, navigate to the Certificates & secrets page.
Click on + New client secret button.
Set a description and an expiration for the secret.
Click on the Add button.
Copy its Value field.
Expand
title
Credentials troubleshooting
If you get errors, please, check your subscriptions and permissions:
Code Block
# Update the client id, client secret, domain, tenant, and endpoint here
$ClientID = "<YOUR_APPLICATION_ID"
$ClientSecret = "<YOUR_CLIENT_SECRET>"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "<YOUR_DOMAIN>.onmicrosoft.com"
# Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section. For $resource, use one of these endpoint values based on your subscription plan: Enterprise - manage.office.com; GCC - manage-gcc.office.com; GCC High: manage.office365.us; DoD: manage.protection.apps.mil
$TenantGUID = "<YOUR_TENANT_GUID>"
$resource = "https://<YOUR_API_ENDPOINT>"
# auth
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
# This will try to return the subscriptions list
Invoke-WebRequest -Headers $headerParams -Uri "$resource/api/v1.0/$tenantGUID/activity/feed/subscriptions/list"
If this fails, then create the subscripttions that fail with this command:
Code Block
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://<YOUR_API_ENDPOINT>/api/v1.0/$tenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory"
On the left side panel of your previously registered application, navigate to the API permissions page.
Click the + Add a permission button.
On the right side modal, navigate the APIs my organization uses tab.
Select Office 365 Exchange Online entry from the list - you can use the search bar tool to find it -.
Click the Application permissions button.
Under the ReportingWebService section, mark the ReportingWebService.Read.All permission.
Click the Add permissions button.
Click ✓ Grant admin consent for {your_domain} button and then on the Yes button on the appeared modal.
To verify that the permission was correctly added, execute the following cURL command replacing (or assigning) the $CLIENT_ID, $CLIENT_SECRET, and $TENANT_ID shell variables with the credentials you obtained in the previous instructions:
Code Block
$ curl -d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&resource=https://outlook.office365.com" -X POST https://login.windows.net/$TENANTID/oauth2/token
A JSON response will be received containing an "access_token" field. By copying its value and pasting it on the jwt.ms: Welcome! web page, the token will appear decoded. Inside, there must be a "roles" field whose value is an array containing the ReportingWebService.Read.All permission. Otherwise, the permissions have not been correctly added.
On the left-side menu, navigate to the Roles and administrators page.
In the list, search for the Global Reader and click on it to select it.
Click the + Add assignments button.
On the right-side modal, use the search bar to find the application you created. Search by either its name (make sure you write the whole name, not only parts of it) or its Client ID in case you cannot find it. Once it appears on the list, select it.
Click the Add button.
To verify that the role has been correctly assigned, execute the following cURL command replacing (or assigning) the $REPORTING_TOKEN shell variable with the token you obtained in the previous instructions:
This response will include the HTTP Response code and headers (note the -i parameter). You should expect to get an HTTP 200 OK response with an XML containing at least the <atom:title>MessageTrace</atom:title> tag. Other responses will be incorrect; here are some examples and their explanation:
401 - Unauthorized: Access is denied due to invalid credentials.: your token is either invalid or outdated. Review the previous instructions to obtain a working token.
No permission to access the report for the organization.: The role has not been properly assigned. Review these instructions to do it.
Expand
title
Alternative URL Configuration for US Government Endpoints
Microsoft has an alternative set of URLs for configurations that need to perform their requests in government environments. You can get more information directly from the Microsoft documentation:
Find the configuration that suits the appropriate configuration. They usually have the same structure, but a different TLD. For example, office365.us instead of office365.com, or microsoftonline.us instead of microsoftonline.com. Once you have the correct URLs, you can set them in the configuration file and use the override parameters to set them:
override_base_resource_url
override_base_auth_url
override_base_url
Source Event Obfuscation
This collector obfuscates the following parameters:
tenant_id
client_id
client_secret
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro
Rw tab
title
Cloud collector
We use a piece of software called Collector Server to host and manage all our available collectors.
To enable the collector for a customer:
In the Collector ServerGUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
In the Parameters section, establish the Collector Parameters as follows below:
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Please replace the placeholders with real world values following the description table below:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Replace <product_name>, <image_name> and <version> with the proper values.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note
Replace <product_name>, <image_name> and <version> with the proper values.
Rw tab
title
Cloud collector
We use a piece of software called Collector Server to host and manage all our available collectors.
To enable the collector for a customer:
In the Collector ServerGUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
In the Parameters section, establish the Collector Parameters as follows below:
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Please replace the placeholders with real world values following the description table below:
Parameter
Data type
Type
Value range / Format
Details
<enable_debug_logs>
bool
Mandatory
false / true
This will make the collector generate (or not) log messages with the DEBUG level.
<short_unique_id>
int
Mandatory
YMMDD
Use this param to give a unique id to this input service.
Note
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.
<input_status>
bool
Mandatory
false / true
Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.
<requests_per_second_value>
int
Optional
Minimum value: 1
Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.
Info
This parameter should be removed if it is not used.
<max_historic_date_cutoff_days_back_value>
int
Optional
Minimum value: 1
Maximum value: 1,000,000
When the collector is initially run, it will perform a historical pulling from the current date minus the value of this parameter. The default value is 10 (the API does not allow querying more than 10 days back).
Info
This parameter should be removed if it is not used.
<max_historic_date_margin_seconds_value>
int
Optional
Minimum value: 1
Maximum value: 86,400,000,000
It happens that between when this date is calculated and when it is used, the difference might be larger than 10 days, so the request will fail. To avoid it, we establish a margin that can be configured using this parameter. Its default value is 60.
Info
This parameter should be removed if it is not used.
<tenant_id_value>
str
Mandatory
Minimum length: 1
This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.
<client_id_value>
str
Mandatory
Minimum length: 1
This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.
<client_secret_value>
str
Mandatory
Minimum length: 1
This is the created secret’s Value field you copied during the Obtain the client credentials step from the Vendor setup section.
<request_period_in_seconds_value>
int
Optional
Minimum value: 1
The amount (in seconds) in which the service’s collection is scheduled.
Info
This parameter should be removed if it is not used.
<reset_persistence_auth_value>
str
Optional
Date format: YYYY-MM-DD
This parameter allows you to clear the persistence of the collector and restart the download pipeline.
Note
Updating this value will produce the lost of all persisted data and current pipelines.
Info
This parameter should be removed if it is not used.
<override_delay_in_seconds_value>
int
Optional
Minimum value: 1 Maximum value: 172,800
Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hour delay. This parameter allows you to customize this delay.
Note
A value less than 25 hours could cause the loss of events in large infrastructures.
Info
This parameter should be removed if it is not used
Parameter
Data Type
Requirement
Value Range / Format
Description
enable_debug_logs
bool
Mandatory
false/true
This will make the collector generate (or not) log messages with the DEBUG level.
short_unique_id
int
Mandatory
Min length: 1
Short, unique ID for input service, used in persistence addressing. Avoid duplicates to prevent collisions.
input_status
bool
Mandatory
false/true
Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.
max_historic_date_cutoff_days_back_value
int
Optional
Minimum value: 1, Maximum value: 1,000,000
When the collector is initially run, it will perform a historical pulling from the current date minus the value of this parameter. The default value is 10 (the API does not allow querying more than 10 days back). This parameter should be removed if it is not used.
max_historic_date_margin_seconds_value
int
Optional
Minimum value: 1, Maximum value: 86,400,000,000
It happens that between when this date is calculated and when it is used, the difference might be larger than 10 days, so the request will fail. To avoid it, we establish a margin that can be configured using this parameter. Its default value is 60. This parameter should be removed if it is not used.
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
tenant_id_value
str
Mandatory
Minimum length: 1
This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.
client_id_value
str
Mandatory
Minimum length: 1
This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.
client_secret_value
str
Mandatory
Minimum length: 1
This is the created secret's Value field you copied during the Obtain the client credentials step from the Vendor setup section.
requests_timeout_in_seconds_value
float
Optional
Minimum value: 1
The amount (in seconds) in which the service's collection is scheduled. This parameter should be removed if it is not used.
reset_persistence_auth_value
str
Optional
Date format: YYYY-MM-DD
This parameter allows you to clear the persistence of the collector and restart the download pipeline. Updating this value will produce the lost of all persisted data and current pipelines.This parameter should be removed if it is not used.
override_delay_in_seconds_value
int
Optional
Minimum value: 1, Maximum value: 172,800
Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hour delay. This parameter allows you to customize this delay. A value less than 25 hours could cause the loss of events in large infrastructures.This parameter should be removed if it is not used.
override_base_resource_url_value
str
Optional
Valid URL (including https)
This parameter allows overriding the base resource URL that is included in the payload when getting the token from Microsoft.
override_base_auth_url_value
str
Optional
Valid URL (including https)
This parameter allows overriding the base authorization URL that is used to get a token.
override_base_url_value
str
Optional
Valid URL (including https)
This parameter allows overriding the base URL that is used to get the data.
Rw tab
title
On-premise collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Replace the placeholders with your required values following the description table below:
Parameter
Data Type
Requirement
Value Range / Format
Description
enable_debug_logs
bool
Mandatory
false/true
This will make the collector generate (or not) log messages with the DEBUG level.
short_unique_id
int
Mandatory
Min length: 1
Short, unique ID for input service, used in persistence addressing. Avoid duplicates to prevent collisions.
input_status
bool
Mandatory
false/true
Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.
max_historic_date_cutoff_days_back_value
int
Optional
Minimum value: 1, Maximum value: 1,000,000
When the collector is initially run, it will perform a historical pulling from the current date minus the value of this parameter. The default value is 10 (the API does not allow querying more than 10 days back). This parameter should be removed if it is not used.
max_historic_date_margin_seconds_value
int
Optional
Minimum value: 1, Maximum value: 86,400,000,000
It happens that between when this date is calculated and when it is used, the difference might be larger than 10 days, so the request will fail. To avoid it, we establish a margin that can be configured using this parameter. Its default value is 60. This parameter should be removed if it is not used.
tenant_id_value
str
Mandatory
Minimum length: 1
This is the Tenant ID you copied during the Obtain the client credentials step from the Vendor setup section.
client_id_value
str
Mandatory
Minimum length: 1
This is the Application (client) ID you copied during the Obtain the client credentials step from the Vendor setup section.
client_secret_value
str
Mandatory
Minimum length: 1
This is the created secret's Value field you copied during the Obtain the client credentials step from the Vendor setup section.
requests_timeout_in_seconds_value
float
Optional
Minimum value: 1
The amount (in seconds) in which the service's collection is scheduled. This parameter should be removed if it is not used.
reset_persistence_auth_value
str
Optional
Date format: YYYY-MM-DD
This parameter allows you to clear the persistence of the collector and restart the download pipeline. Updating this value will produce the lost of all persisted data and current pipelines.This parameter should be removed if it is not used.
override_delay_in_seconds_value
int
Optional
Minimum value: 1, Maximum value: 172,800
Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hour delay. This parameter allows you to customize this delay. A value less than 25 hours could cause the loss of events in large infrastructures.This parameter should be removed if it is not used.
override_base_resource_url_value
str
Optional
Valid URL (including https)
This parameter allows overriding the base resource URL that is included in the payload when getting the token from Microsoft.
override_base_auth_url_value
str
Optional
Valid URL (including https)
This parameter allows overriding the base authorization URL that is used to get a token.
override_base_url_value
str
Optional
Valid URL (including https)
This parameter allows overriding the base URL that is used to get the data.
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Replace <product_name>, <image_name> and <version> with the proper values.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note
Replace <product_name>, <image_name> and <version> with the proper values.
Collector services detail
...
Expand
title
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Expand
title
Verify collector operations
Initialization
The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.
A successful run has the following output messages for the initializer module:
Code Block
INFO MainProcess::MainThread -> {"build_time": "UNKNOWN", "os_info": "macOS-12.6.1-x86_64-i386-64bit", "collector_name": "o365_emt_collector", "collector_version": "2.0.0", "collector_owner": "integrations_factory@devo.com", "started_at": "2022-12-21T13:17:14.405816Z"}
INFO MainProcess::MainThread -> (CollectorMultiprocessingQueue) standard_queue_multiprocessing -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
INFO MainProcess::MainThread -> [OUTPUT] OutputMultiprocessingController::__init__ Configuration -> {[...]}
INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=300s)
INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=300s)
INFO InputProcess::MainThread -> InputThread(office365_exchange_message,<short_unique_id>) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> ServiceThread(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Starting thread
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread
Events delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.
A successful run has the following output messages for the initializer module:
Code Block
INFO OutputProcess::SyslogSenderManagerMonitor(standard
Error type
Error ID
Error message
Cause
Solution
SetupError
100
Authentication failed: [...]
When asking for a token, we received an Unauthorized (401) HTTP response code.
The error details will be provided in the error message, but make sure you registered App has the right API permissions and the corect role assigned.
101
Unexpected status code when fetching Office365ExchangeMessageTrace JWT: [...]
When asking for a token, we received an unsuccesful response.
The error details will be provided in the error message.
102
Error occurred while accessing the access_token: [...]
An unexpected error occurred.
The error details will be provided in the error message.
InitVariablesError
...]
An unexpected error occurred.
The error details will be provided in the error message.
InitVariablesError
0
module_properties section does not exist on the configuration file or is empty. Contact Devo.
This is an internal error.
Reach Devo Support.
0
credentials section does not exist on the configuration file or is empty
The credentials section is missing from the config
Make sure it exists.
1
module_properties section is not a valid <dict> object. Contact Devo.
This is an internal error.
Reach Devo Support.
1
credentials section is not a valid <dict> objectThe credentials section does not have any settings
The credentials section does not have any settings.
Make sure it has the required properties.
2
base_auth_url doesn't exist on the configuration file or is empty
The base_auth_url is missing.
Make sure it exists and has a correct value.
2
base_resource_url doesn't exist on the configuration file or is empty
The base_resource_url is missing.
Make sure it has the required propertiesexists and has a correct value.
2
basetenant_auth_url id doesn't exist on the configuration file or is empty
The tenant_id is missing.
Make sure it exists and has a correct value.
3
base_auth_url must be an string
The base_auth_url is missing_url paramater has a type other than string.
Make sure it is a string and has a correct value.
3
base_resource_url must be an string
The base_resource_url paramater has a type other than string.
Make sure it exists is a string and has a correct value.
3
2
base_resource_url doesn't exist on the configuration file or is empty
The base_resource_url is missingtenant_id must be an string
The tenant_id paramater has a type other than string.
Make sure it exists is a string and has a correct value.
4
2
tenantclient_id doesn't exist on the configuration file or is empty
The tenantclient_id is missing.
Make sure it exists and has a correct value.
4
3
base_auth_url must be an string
The base_auth_url paramater has a type other than stringclient_secret doesn't exist on the configuration file or is empty
The client_secret is missing.
Make sure it is a string exists and has a correct value.
5
3
base_resource_url client_id must be an string
The baseclient_resource_urlidparamater has a type other than string.
Make sure it is a string and has a correct value.
5
3
tenantclient_id secret must be an string
The tenantclient_idsecretparamater has a type other than string.
Make sure it is a string and has a correct value.
6
4
clientbase_id tag doesn't exist on the configuration file or is empty
The clientbase_idtagis missing.
Make sure it exists and has a correct value.
7
4
client_secret doesn't exist on the configuration file or is empty
The client_secret is missingbase_tag must be an string
The base_tag paramater has a type other than string.
Make sure it exists is a string and has a correct value.
8
5
client_id must be an string
The client_id paramater has a type other than stringbase_url doesn't exist on the configuration file or is empty
The base_url is missing.
Make sure it is a string exists and has a correct value.
9
5
clientbase_secret url must be an string
The clientbase_secreturlparamater has a type other than string.
Make sure it is a string and has a correct value.
6
base_tag 10
time_delay_in_seconds doesn't exist on the configuration file or is empty
The base_tagtime_delay_in_secondsis missing.
Make sure it exists and has a correct value.
7
base_tag 11
time_delay_in_seconds must be an string
The base_tagtime_delay_in_secondsparamater has a type other than string.
Make sure it is a string and has a correct value.
8
base_url 12
requests_timeout_in_seconds doesn't exist on the configuration file or is empty
The base_urlrequests_timeout_in_secondsis missing.
Make sure it exists and has a correct value.
9
base_url must be an string
The base_url13
requests_timeout_in_seconds is not a float instance
The requests_timeout_in_secondsparamater has a type other than stringfloat.
Make sure it is a string float and has a correct value.
10
time_delay14
requests_retries_before_error_in_seconds units doesn't exist on the configuration file or is empty
The time_delayrequests_retries_before_error_in_secondsunitsis missing.
Make sure it exists and has a correct value.
11
time_delay15
requests_retries_before_error_in_seconds must be an stringThe time_delayunits is not an int instance
The requests_retries_before_error_in_secondsunitsparamater has a type other than stringint.
Make sure it is a string int and has a correct value.
1216
requests_timeout_wait_time_between_retries_in_seconds doesn't exist on the configuration file or is empty
The requests_timeoutwait_time_between_retries_in_seconds is missing.
Make sure it exists and has a correct value.
1317
requests_timeoutwait_time_between_retries_in_seconds is not a float an int instance
The requests_timeout_wait_time_between_retries_in_seconds paramater has a type other than floatint.
Make sure it is a float int and has a correct value.
14
requests_retries_before_error_in_units doesn't exist on the configuration file or is empty
The requests_retries_before_error_in_units is missing18
Optional setting: <reset_persistence_auth> not of expected type: str
The time_delay_in_seconds paramater has a type other than string.
Make sure it exists is a string and has a correct value.
15
requests_retries_before_error_in_units is not an int instance
The requests_retries_before_error_in_units19
Optional setting: <override_time_delay_in_seconds> not of expected type: int
The time_delay_in_secondsparamater has a type other than intinteger.
Make sure it is a int an integer and has a correct value.
16
requests_wait_time_between_retries_in_seconds doesn't exist on the configuration file or is empty
The requests_wait_time_between_retries_in_seconds is missing.
Make sure it exists and has a correct value.
17
requests_wait_time_between_retries_in_seconds is not an int instance
The requests_wait_time_between_retries_in_seconds paramater has a type other than int.
Make sure it is a int and has a correct value.
18
Optional setting: <reset_persistence_auth> not of expected type: str
The time_delay_in_seconds paramater has a type other than string.
Make sure it is a string and has a correct value.
19
Optional setting: <override_time_delay_in_seconds> not of expected type: int
The time_delay_in_seconds paramater has a type other than integer.
Make sure it is an integer and has a correct value.
20
Optional setting: <override_time_delay_in_seconds> is out of range (1 to 90000)
The time_delay_in_seconds paramater is out of the mentioned range.
Make sure it is inside the indicated range.
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
20
Optional setting: <override_time_delay_in_seconds> is out of range (1 to 90000)
The time_delay_in_seconds paramater is out of the mentioned range.
Make sure it is inside the indicated range.
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
...
Expand
title
Verify collector operations
Initialization
The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.
A successful run has the following output messages for the initializer module:
Code Block
INFO MainProcess::MainThread -> {"build_time": "UNKNOWN", "os_info": "macOS-12.6.1-x86_64-i386-64bit", "collector_name": "o365_emt_collector", "collector_version": "2.0.0", "collector_owner": "integrations_factory@devo.com", "started_at": "2022-12-21T13:17:14.405816Z"}
INFO MainProcess::MainThread -> (CollectorMultiprocessingQueue) standard_queue_multiprocessing -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
INFO MainProcess::MainThread -> [OUTPUT] OutputMultiprocessingController::__init__ Configuration -> {[...]}
INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=300s)
INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=300s)
INFO InputProcess::MainThread -> InputThread(office365_exchange_message,<short_unique_id>) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> ServiceThread(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePullerSetup(unknown,office365_exchange_message#<short_unique_id>,office365_exchange_message_service#predefined) -> Starting thread
INFO InputProcess::MainThread -> Office365ExchangeMessageTracePuller(office365_exchange_message,<short_unique_id>,office365_exchange_message_service,predefined) - Starting thread
Events delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.
A successful run has the following output messages for the initializer module:
Code Block
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Sender: SyslogSender(standard_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Standard - Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 44 (elapsed 0.007 seconds)
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(standardinternal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(standardinternal_senders,sidecar_0) -> Sender: SyslogSender(standardinternal_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(standardinternal_senders,sidecar_0) -> StandardInternal - Total number of messages sent: 441, messages sent since "2022-06-28 10:39:22.511671516313+00:00:00": 44 (elapsed 0.007 seconds)
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Sender: SyslogSender(internal_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Internal - Total number of messages sent: 1, messages sent since "2022-06-28 10:39:22.516313+00:00": 1 (elapsed 0.019 seconds)
Info
By default, these information traces will be displayed every 10 minutes.
Sender services
The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:
Sender services
Description
internal_senders
In charge of delivering internal metrics to Devo such as logging traces or metrics.
standard_senders
In charge of delivering pulled events to Devo.
Sender statistics
Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace
Description
Number of available senders: 1
Displays the number of concurrent senders available for the given Sender Service.
sender manager internal queue size: 0
Displays the items available in the internal sender queue.
Info
This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.
Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)
Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:
44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.
Info
By default these traces will be shown every 10 minutes.
Expand
title
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using
Expand
title
Enable/disable the logging debug mode
Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.
To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.
To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.
For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.
Change log
...
Release
...
Released on
...
Release type
...
Details
": 1 (elapsed 0.019 seconds)```
Info
By default, these information traces will be displayed every 10 minutes.
Sender services
The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:
Sender services
Description
internal_senders
In charge of delivering internal metrics to Devo such as logging traces or metrics.
standard_senders
In charge of delivering pulled events to Devo.
Sender statistics
Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace
Description
Number of available senders: 1
Displays the number of concurrent senders available for the given Sender Service.
sender manager internal queue size: 0
Displays the items available in the internal sender queue.
Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds
Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:
57 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
0 events were sent to Devo between the last UTC checkpoint and now.
Those 0 events required 0.00 seconds to be delivered.
Expand
title
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using
Expand
title
Enable/disable the logging debug mode
Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.
To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.
To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.
For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.
Change log
Release
Released on
Release type
Recommendations
v2.3.2
Status
colour
Blue
title
IMPROVEMENT
Status
colour
Yellow
title
BUG FIXING
Expand
title
Details
Improvements - Updated DC SDK from v1.12.4 to v1.13.1:
Bug Fixing - Fix parameters for credential requests
v2.3.1
Status
colour
Blue
title
IMPROVEMENT
Expand
title
Details
Improvements - Add override for the default URL connection parameters override_base_resource_url,override_base_auth_url and override_base_url
v2.3.0
Status
colour
Blue
title
IMPROVEMENT
Status
colour
Yellow
title
BUG FIXING
Expand
title
Details
Improvements
Upgraded DCSDK from 1.9.2 to 1.12.4
Bug Fixing
Implemented pull_pause method to fix issues with collector restart.
v2.2.0
Status
colour
GreenBlue
title
IMPROVEMENT
Recommended version
Expand
title
Details
Improvements:
Upgraded DCSDK from 1.9.0 to 1.9.2
Store lookup instances into DevoSender to avoid creation of new instances for the same lookup
Ensure service_config is a dict into templates
Upgraded some internal dependencies
Updated collector definitions with new rate limits and reverted changes to older version of collector
Recommended version
v2.1.0
Status
colour
RedBlue
title
BUG FIXINGIMPROVEMENT
Status
colour
GreenYellow
title
BUG FIXING
Update
Expand
title
IMPROVEMENT
Details
Improvements:
Upgraded DCSDK from 1.3.0 to 1.8.0
Bug fixing:
Processing of special characters that the collector was not capable of doing. It has been fixed by adding the processing of non-ascii characters
Update
v2.0.0
Status
colour
Purple
title
NEW FEATURE
Status
colour
GreenBlue
title
IMPROVEMENT
-
Expand
title
Details
New features:
New OAuth2 authentication method; basic authentication deprecated.
New max_historic_date_cutoff_days_back and max_historic_date_margins_second parameters to customize historic pulling.
