Skip to content
  • There are no suggestions because the search field is empty.

Microsoft Office 365 sharepoint logs are not parsing due to msg.id is null.

Issue

The SharePoint logs are being collected with Configuration steps. However, the logs have parsing issues.

Cause

This issue is due to msg.id is null as below.
<13>1 - 5.5.5.5 msoffice365 - null [lc@36807 lc.ctime="1655801757494" lc.cid="blrsiemhyb01"] {"AppAccessContext": {"AADSessionId": "a587344f-e77b-4391-8aea-0d77a8de17ff", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5"}, "CreationTime": "2022-06-21T08:48:41", "Id": "b5f1a398-f0f5-41fc-4d43-08da5362d7bc", "Operation": "FileModified", "OrganizationId": "63ce7d59-2f3e-42cd-a8cc-be764cff5eb6", "RecordType": 6, "UserKey": "i:0h.f|membership|100320013bf22c2a@live.com", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "52.108.89.15", "ObjectId": "https://dummy.sharepoint.com/sites/TIG/Shared Documents/General/Compliance/1046 Laptop Management.xlsx", "UserId": "marceli.dorcz@ad.infosys.com", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5", "EventSource": "SharePoint", "ItemType": "File", "ListId": "ba7e6af0-9cd0-40f8-9f9f-37fea4167149", "ListItemUniqueId": "ab3982a8-e95d-4027-834e-b5ffcf5a7afa", "Site": "93faf121-f2cb-4973-9b3c-ce0e8f41daf3", "UserAgent": "MSWAC", "WebId": "4484ad4f-145d-400e-9a33-82b8bae534df", "FileSizeBytes": 228580, "SourceFileExtension": "xlsx", "SiteUrl": "https://dummy.sharepoint.com/sites/TIG/", "SourceFileName": "1046 Laptop Management.xlsx", "SourceRelativeUrl": "Shared Documents/General/Compliance", "nw.RecordType": "SharePointFileOperation", "nw.UserType": "Regular"}

Resolution

The msg.id value comes from the Resource Group Name parameter of the office365 instance. Please follow the below steps to configure the correct Resource Group Name parameter.
 
  • Navigate to LogCollector->Config->Event Sources->Config/Plugin.
  • Edit SharePoint instance created.
  • Mention Resource Group Name=Audit.SharePoint as mentioned in the configuration guide in the issue section.
Note: the Resource Group Name value is case-sensitive.
  • Then restart the collector service using the below command to get the changes reflected.
service nwlogcollector restart
  • Then verify the latest sharepoint logs coming with msg.id value as below with good parsing.
<13>1 - 5.5.5.5 msoffice365 - audit_sharepoint [lc@36807 lc.ctime="1655801757494" lc.cid="blrsiemhyb01"] {"AppAccessContext": {"AADSessionId": "a587344f-e77b-4391-8aea-0d77a8de17ff", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5"}, "CreationTime": "2022-06-21T08:48:41", "Id": "b5f1a398-f0f5-41fc-4d43-08da5362d7bc", "Operation": "FileModified", "OrganizationId": "63ce7d59-2f3e-42cd-a8cc-be764cff5eb6", "RecordType": 6, "UserKey": "i:0h.f|membership|100320013bf22c2a@live.com", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "52.108.89.15", "ObjectId": "https://dummy.sharepoint.com/sites/TIG/Shared Documents/General/Compliance/1046 Laptop Management.xlsx", "UserId": "marceli.dorcz@ad.infosys.com", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5", "EventSource": "SharePoint", "ItemType": "File", "ListId": "ba7e6af0-9cd0-40f8-9f9f-37fea4167149", "ListItemUniqueId": "ab3982a8-e95d-4027-834e-b5ffcf5a7afa", "Site": "93faf121-f2cb-4973-9b3c-ce0e8f41daf3", "UserAgent": "MSWAC", "WebId": "4484ad4f-145d-400e-9a33-82b8bae534df", "FileSizeBytes": 228580, "SourceFileExtension": "xlsx", "SiteUrl": "https://dummy.sharepoint.com/sites/TIG/", "SourceFileName": "1046 Laptop Management.xlsx", "SourceRelativeUrl": "Shared Documents/General/Compliance", "nw.RecordType": "SharePointFileOperation", "nw.UserType": "Regular"}

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Log Collector
RSA Version/Condition: 11.x
O/S Version: CentOS 7

Summary

This document outlines the procedure to parse the SharePoint logs.


Approval Reviewer Queue

Technical approval queue