Troubleshooting
Problem
Microsoft® Office365® log source fails to start collecting events to QRadar® because a valid token can't be acquired.
Symptom
An Office365 log source has been created but event collection never starts.
Cause
This issue is usually caused by not having an NTP server configured in QRadar for time sync, and there might be a time discrepancy between the Office365 server and QRadar.
Diagnosing The Problem
Enable debug logging for classpath com.q1labs.semsources.sources.utils.microsoft.accessToken.
/opt/qradar/support/mod_log4j.pl -who yourName -al com.q1labs.semsources.sources.utils.microsoft.accessToken -duration 30min
This command makes the debug logging to automatically disable after 30 mins.
The debug log output is in /var/log/qradar.java.debug.
Example output:
Jul 4 14:41:26 ::ffff:XXX.XXX.XXX.XXX [ecs-ec] [SHAREPOINT3407] com.q1labs.semsources.sources.utils.microsoft.accessToken.AccessToken: [DEBUG] Obtained a new access token. Not valid before [1562269452]. Expires on [1562273052]. CurrentTime [1562269286] In this case "Current time" is before "Not valid before" time.
Convert the epoch time to human readable format, for example using this tool: https://www.epochconverter.com/
From the output above:
Not valid before: 1562269452 = 4 July 2019 19:44:12 (GMT)
Current time: 1562269286 = 4 July 2019 19:41:26 (GMT)
Current time: 1562269286 = 4 July 2019 19:41:26 (GMT)
So, in this case the Current time is earlier than the Not valid before time, which means the time of the managed host is behind by 3 minutes. This time gap is causing the token retrieval to fail.
Resolving The Problem
NTP time sync is recommended to eliminate time discrepancies.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
24 August 2021
UID
ibm16403769