diff --git a/README.md b/README.md index 4a62a30..5ca63c2 100644 --- a/README.md +++ b/README.md @@ -57,30 +57,6 @@ See the following link for more info on the management APIs: https://msdn.micros - Output to Graylog/fluentd for full audit trails in SIEM - Etc. -## Latest changes: -- Full rust rewrite -- Deprecated 'resume' parameter. -- Added native timestamp field to logs for graylog output -- Added fluentd support (thanks @owentl) -- Added Azure Blob and Azure Table outputs -- Added SQL output for Power BI -- Changed file to CSV output -- Added PRTG output -- Added filters -- Added YAML config file -- Added a GUI for Windows -- Added executables for Windows and Linux -- Added Azure Log Analytics Workspace OMS output -- Added parameter to resume from last run time (use to not miss any logs when script hasn't run for a while) -- Added parameter for amount of hours or days to go back and look for content -- Integrated bug fixes from pull requests, thank you! - - Fix busy loop when connection problem by @furiel - - New urlencoding for client_secret by @kalimer0x00 -- Fixed bug where script exited prematurely -- Don't start graylog output unnecessarily -- Fixed file output - - ## Instructions: ### Onboarding (one time only): @@ -107,7 +83,34 @@ See the following link for more info on the management APIs: https://msdn.micros ### Running the collector: -You can schedule to run the executable with CRON or Task Scheduler. +#### From container (recommended) + +A prebuilt container is available. If you are on a machine with docker available, +you can run the tool through following steps: + +1. Make sure a config file is available (see "/ConfigExamples" for details). Let's say the file is at "/configs/config.yaml" +2. Run the following docker command: + - Note we create a volume (/config), binding the local config folder to the container + - We also mount a new volume (/app) that the collector can use to store known logs, so it can avoid duplicates +``` +sudo docker run -d \ + -v /configs:/configs \ + --mount source=collector-volume,target=/app \ + ghcr.io/ddbnl/office365-audit-log-collector:release \ + --tenant-id "11111111-1111-1111-1111-111111111111" \ + --client-id "11111111-1111-1111-1111-111111111111" \ + --secret-key "1111111111111111111111111111111111" \ + --config /configs/graylog.yaml + +``` +3. Now optionally create a CRON job or Task Scheduler task to run the container on a schedule + +#### From a custom container + +You can use "/Release/Dockerfile" as a starting point to create a custom container. The binary is located at +"/Release/Linux/OfficeAuditLogCollector" + +#### Direct From binary To run the command-line executable use the following syntax: OfficeAuditLogCollector(.exe) --tenant-id %tenant_id% --client-id %client_key% --secret-key %secret_key% --config %path/to/config.yaml% @@ -116,6 +119,8 @@ To create a config file you can start with the 'fullConfig.yaml' from the Config possible options and some explanatory comments. Cross-reference with a config example using the output(s) of your choice, and you should be set. Remember to remove (or comment out) all the outputs you do not intent to use. +You can schedule to run the executable with CRON or Task Scheduler. + ### Setting up the collector for Graylog: I wrote a full tutorial on the Graylog blog. You can find it [here](https://community.graylog.org/t/collecting-office365-azuread-audit-logs-using-office-audit-collector/23925). \ No newline at end of file diff --git a/Release/Linux/OfficeAuditLogCollector b/Release/Linux/OfficeAuditLogCollector index 20ade33..eeda4ea 100755 Binary files a/Release/Linux/OfficeAuditLogCollector and b/Release/Linux/OfficeAuditLogCollector differ diff --git a/src/config.rs b/src/config.rs index 487e5fd..f929edc 100644 --- a/src/config.rs +++ b/src/config.rs @@ -101,7 +101,7 @@ impl Config { }; if !invalidated { known_content.insert(id.trim().to_string(), creation_time.trim().to_string()); - } else {println!("SKIPPA: {}", line)} + } } } known_content diff --git a/src/interfaces/file_interface.rs b/src/interfaces/file_interface.rs index 724e5eb..24a55ad 100644 --- a/src/interfaces/file_interface.rs +++ b/src/interfaces/file_interface.rs @@ -89,7 +89,6 @@ impl FileInterface { } let columns = get_all_columns(logs); let path = self.paths.get(&content_type).unwrap(); - println!("HIER {}", path.clone()); let mut wrt = Writer::from_path(path).unwrap(); wrt.write_record(&columns).unwrap();