IBM Support

QRadar: Office365 log source fails to start collecting events because a valid token can't be acquired

Troubleshooting


Problem

Microsoft® Office365® log source fails to start collecting events to QRadar® because a valid token can't be acquired.

Symptom

An Office365 log source has been created but event collection never starts.

Cause

This issue is usually caused by not having an NTP server configured in QRadar for time sync, and there might be a time discrepancy between the Office365 server and QRadar.

Diagnosing The Problem

Enable debug logging for classpath com.q1labs.semsources.sources.utils.microsoft.accessToken. 
/opt/qradar/support/mod_log4j.pl -who yourName -al com.q1labs.semsources.sources.utils.microsoft.accessToken -duration 30min
This command makes the debug logging to automatically disable after 30 mins.
The debug log output is in /var/log/qradar.java.debug.
Example output:
Jul 4 14:41:26 ::ffff:XXX.XXX.XXX.XXX [ecs-ec] [SHAREPOINT3407] com.q1labs.semsources.sources.utils.microsoft.accessToken.AccessToken: [DEBUG] Obtained a new access token. Not valid before [1562269452]. Expires on [1562273052]. CurrentTime [1562269286] In this case "Current time" is before "Not valid before" time.
Convert the epoch time to human readable format, for example using this tool: https://www.epochconverter.com/ 
From the output above:
Not valid before: 1562269452 = 4 July 2019 19:44:12 (GMT)
Current time: 1562269286 = 4 July 2019 19:41:26 (GMT)
So, in this case the Current time is earlier than the Not valid before time, which means the time of the managed host is behind by 3 minutes. This time gap is causing the token retrieval to fail. 

Resolving The Problem

NTP time sync is recommended to eliminate time discrepancies.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
24 August 2021

UID

ibm16403769