This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Knowledge Base
- Microsoft Office 365 sharepoint logs are not parsing due to msg.id is null.
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Microsoft Office 365 sharepoint logs are not parsing due to msg.id is null.
Article Number
000002092
Applies To
RSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Log Collector
RSA Version/Condition: 11.x
O/S Version: CentOS 7
RSA Product/Service Type: NetWitness Log Collector
RSA Version/Condition: 11.x
O/S Version: CentOS 7
Issue
The SharePoint logs are being collected with Configuration steps. However, the logs have parsing issues.
Cause
This issue is due to msg.id is null as below.
<13>1 - 5.5.5.5 msoffice365 - null [lc@36807 lc.ctime="1655801757494" lc.cid="blrsiemhyb01"] {"AppAccessContext": {"AADSessionId": "a587344f-e77b-4391-8aea-0d77a8de17ff", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5"}, "CreationTime": "2022-06-21T08:48:41", "Id": "b5f1a398-f0f5-41fc-4d43-08da5362d7bc", "Operation": "FileModified", "OrganizationId": "63ce7d59-2f3e-42cd-a8cc-be764cff5eb6", "RecordType": 6, "UserKey": "i:0h.f|membership|100320013bf22c2a@live.com", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "52.108.89.15", "ObjectId": "https://dummy.sharepoint.com/sites/TIG/Shared Documents/General/Compliance/1046 Laptop Management.xlsx", "UserId": "marceli.dorcz@ad.infosys.com", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5", "EventSource": "SharePoint", "ItemType": "File", "ListId": "ba7e6af0-9cd0-40f8-9f9f-37fea4167149", "ListItemUniqueId": "ab3982a8-e95d-4027-834e-b5ffcf5a7afa", "Site": "93faf121-f2cb-4973-9b3c-ce0e8f41daf3", "UserAgent": "MSWAC", "WebId": "4484ad4f-145d-400e-9a33-82b8bae534df", "FileSizeBytes": 228580, "SourceFileExtension": "xlsx", "SiteUrl": "https://dummy.sharepoint.com/sites/TIG/", "SourceFileName": "1046 Laptop Management.xlsx", "SourceRelativeUrl": "Shared Documents/General/Compliance", "nw.RecordType": "SharePointFileOperation", "nw.UserType": "Regular"}Resolution
The msg.id value comes from the Resource Group Name parameter of the office365 instance. Please follow the below steps to configure the correct Resource Group Name parameter.
- Navigate to LogCollector->Config->Event Sources->Config/Plugin.
- Edit SharePoint instance created.
- Mention Resource Group Name=Audit.SharePoint as mentioned in the configuration guide in the issue section.
Note: the Resource Group Name value is case-sensitive.
- Then restart the collector service using the below command to get the changes reflected.
service nwlogcollector restart
- Then verify the latest sharepoint logs coming with msg.id value as below with good parsing.
<13>1 - 5.5.5.5 msoffice365 - audit_sharepoint [lc@36807 lc.ctime="1655801757494" lc.cid="blrsiemhyb01"] {"AppAccessContext": {"AADSessionId": "a587344f-e77b-4391-8aea-0d77a8de17ff", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5"}, "CreationTime": "2022-06-21T08:48:41", "Id": "b5f1a398-f0f5-41fc-4d43-08da5362d7bc", "Operation": "FileModified", "OrganizationId": "63ce7d59-2f3e-42cd-a8cc-be764cff5eb6", "RecordType": 6, "UserKey": "i:0h.f|membership|100320013bf22c2a@live.com", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "52.108.89.15", "ObjectId": "https://dummy.sharepoint.com/sites/TIG/Shared Documents/General/Compliance/1046 Laptop Management.xlsx", "UserId": "marceli.dorcz@ad.infosys.com", "CorrelationId": "fe7949a0-d0dc-4000-83f8-e4661a8263c5", "EventSource": "SharePoint", "ItemType": "File", "ListId": "ba7e6af0-9cd0-40f8-9f9f-37fea4167149", "ListItemUniqueId": "ab3982a8-e95d-4027-834e-b5ffcf5a7afa", "Site": "93faf121-f2cb-4973-9b3c-ce0e8f41daf3", "UserAgent": "MSWAC", "WebId": "4484ad4f-145d-400e-9a33-82b8bae534df", "FileSizeBytes": 228580, "SourceFileExtension": "xlsx", "SiteUrl": "https://dummy.sharepoint.com/sites/TIG/", "SourceFileName": "1046 Laptop Management.xlsx", "SourceRelativeUrl": "Shared Documents/General/Compliance", "nw.RecordType": "SharePointFileOperation", "nw.UserType": "Regular"}Tags (42)
- 11.x
- Appliance
- Bad Config
- Bad Configuration
- Break Fix
- Break Fix Issue
- Broken
- Config
- Configuration
- Configuration Help
- Configuration Issue
- Configuration Problem
- Configured Incorrectly
- Configuring Issue
- Configuring Problem
- Core Appliance
- Customer Support Article
- Incorrect Configuration
- Issue
- Issue Configuring
- Issues
- KB Article
- Knowledge Article
- Knowledge Base
- Log Collection
- Log Collector
- Misconfiguration
- Misconfigured
- NetWitness
- NetWitness Appliance
- NetWitness Platform
- NW
- NW Appliance
- NwLogCollector
- Problem
- RSA NetWitness
- RSA NetWitness Platform
- RSA Security Analytics
- Security Analytics
- Setup Issue
- SIEM
- Version 11.x
No ratings
