Forum breadcrumbs - You are Developer ForumThe Beats: o365beatFAQ
You need to log in to create posts and topics.


Frequently Asked Questions (FAQ)


  1. Why can't I see events from Exchange (or some other source)?


Confirm all the content types are listed under the content_types key in o365beat.yml, like so:

  - Audit.AzureActiveDirectory
  - Audit.Exchange
  - Audit.SharePoint
  - Audit.General

Confirm audit log search is enabled for your tenancy.

Many exchange events require mailbox auditing to be enabled. Confirm mailbox auditing is enabled.

Some audit events take time to create. If this is a test tenancy, or if you just enabled new audit subscriptions, it can take up to 12 hours for all the data to start showing up in the results.

Check the logs created by o365beat for any errors. You can do this by running it at the command line with all debugging enabled: ./o365beat --path.config . -c o365beat.yml -e -d "*"


2. Why can't I see the ECS fields like client.ip in my events?

Due to a quirk in the libbeat build system, the default config file contains an additional processors section that gets merged into the o365beat.yml and shadows the custom processors used by this beat. You must manually remove the second processors section (the one that contains add_host_metadata and add_cloud_metadata, neither of which is particularly useful), or merge the two, to avoid problems. Please see this issue for more information, we're working on a durable fix.


3. I'm seeing non-200 errors in my debugging output for some API calls, am I getting all events?

Please update to release v1.4.3 or later. There were a few cases where the PublisherIdentifier was not appended to requests, which could cause API throttling in certain cases, which has now been fixed.


4. I don't see my problem listed here, what gives?

Please review this full README and the issues list, and submit a new issue if you can't find a solution. And you can always contact us for assistance. Thanks!