000036127 - Unable to add the Microsoft Office 365 log source due to a python error in RSA NetWitness Logs & Packets

Document created by RSA Customer Support Employee on Mar 24, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036127
Applies ToRSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: Log Collector
RSA Version/Condition: 11.0.x
IssuePage 9 of the Microsoft Office 365 Event Source Configuration Guide calls for the execution of the commands below on the Log Collector.

cd /etc/netwitness/ng/logcollection/content/collection/cmdscript/office365audit/
python SubscribeLogCategory.py tenant_id application_id application_key resource_group

When executing the script with proper values for each of the four arguments, the python error below is returned.

ValueError: error:3207A06D:lib(50):B_HASH_init:cr new 
Traceback (most recent call last): 
File "SubscribeLogCategory.py", line 4, in <module> 
import adal 
File "/etc/netwitness/ng/logcollection/content/collection/cmdscript/office365audit/lib/adal/__init__.py", line 34, in <module> 
from .authentication_context import AuthenticationContext 
File "/etc/netwitness/ng/logcollection/content/collection/cmdscript/office365audit/lib/adal/authentication_context.py", line 31, in <module> 
from .authority import Authority 
File "/etc/netwitness/ng/logcollection/content/collection/cmdscript/office365audit/lib/adal/authority.py", line 34, in <module> 
import requests 
File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module> 
from . import utils 
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module> 
from .exceptions import InvalidURL 
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module> 
from .packages.urllib3.exceptions import HTTPError as BaseHTTPError 
File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module 
raise ImportError("No module named '%s'" % (name,)) 
ImportError: No module named 'requests.packages.urllib3'

CauseThere was an issue with Office 365 files that come with an RSA NetWitness 11.x installation, which may result in this error when executing the SubscribeLogCategory.py script.
ResolutionThe latest Office 365 files from RSA Live fix this issue. 

Follow the steps below to deploy Office 365 from RSA Live.
  1. Select Live In the RSA NetWitness Suite menu.
  2. Browse RSA Live for MS Office 365 content, typing Office 365 into the Keywords text box and clicking Search.
  3. Select the item returned in the search results.
  4. Click Deploy to deploy the Office 365 log parser to the appropriate Log Collectors using the Deployment Wizard.