@@ -57,30 +57,6 @@ See the following link for more info on the management APIs: https://msdn.micros
5757- Output to Graylog/fluentd for full audit trails in SIEM
5858- Etc.
5959
60- ## Latest changes:
61- - Full rust rewrite
62- - Deprecated 'resume' parameter.
63- - Added native timestamp field to logs for graylog output
64- - Added fluentd support (thanks @owentl )
65- - Added Azure Blob and Azure Table outputs
66- - Added SQL output for Power BI
67- - Changed file to CSV output
68- - Added PRTG output
69- - Added filters
70- - Added YAML config file
71- - Added a GUI for Windows
72- - Added executables for Windows and Linux
73- - Added Azure Log Analytics Workspace OMS output
74- - Added parameter to resume from last run time (use to not miss any logs when script hasn't run for a while)
75- - Added parameter for amount of hours or days to go back and look for content
76- - Integrated bug fixes from pull requests, thank you!
77- - Fix busy loop when connection problem by @furiel
78- - New urlencoding for client_secret by @kalimer0x00
79- - Fixed bug where script exited prematurely
80- - Don't start graylog output unnecessarily
81- - Fixed file output
82-
83-
8460## Instructions:
8561
8662### Onboarding (one time only):
@@ -107,7 +83,34 @@ See the following link for more info on the management APIs: https://msdn.micros
10783
10884### Running the collector:
10985
110- You can schedule to run the executable with CRON or Task Scheduler.
86+ #### From container (recommended)
87+
88+ A prebuilt container is available. If you are on a machine with docker available,
89+ you can run the tool through following steps:
90+
91+ 1 . Make sure a config file is available (see "/ConfigExamples" for details). Let's say the file is at "/configs/config.yaml"
92+ 2 . Run the following docker command:
93+ - Note we create a volume (/config), binding the local config folder to the container
94+ - We also mount a new volume (/app) that the collector can use to store known logs, so it can avoid duplicates
95+ ```
96+ sudo docker run -d \
97+ -v /configs:/configs \
98+ --mount source=collector-volume,target=/app \
99+ ghcr.io/ddbnl/office365-audit-log-collector:release \
100+ --tenant-id "11111111-1111-1111-1111-111111111111" \
101+ --client-id "11111111-1111-1111-1111-111111111111" \
102+ --secret-key "1111111111111111111111111111111111" \
103+ --config /configs/graylog.yaml
104+
105+ ```
106+ 3 . Now optionally create a CRON job or Task Scheduler task to run the container on a schedule
107+
108+ #### From a custom container
109+
110+ You can use "/Release/Dockerfile" as a starting point to create a custom container. The binary is located at
111+ "/Release/Linux/OfficeAuditLogCollector"
112+
113+ #### Direct From binary
111114To run the command-line executable use the following syntax:
112115
113116OfficeAuditLogCollector(.exe) --tenant-id %tenant_id% --client-id %client_key% --secret-key %secret_key% --config %path/to/config.yaml%
@@ -116,6 +119,8 @@ To create a config file you can start with the 'fullConfig.yaml' from the Config
116119possible options and some explanatory comments. Cross-reference with a config example using the output(s) of your choice, and you
117120should be set. Remember to remove (or comment out) all the outputs you do not intent to use.
118121
122+ You can schedule to run the executable with CRON or Task Scheduler.
123+
119124### Setting up the collector for Graylog:
120125I wrote a full tutorial on the Graylog blog. You can find it
121126[ here] ( https://community.graylog.org/t/collecting-office365-azuread-audit-logs-using-office-audit-collector/23925 ) .
0 commit comments