Skip to main content
Skip table of contents

Office 365 Message Tracking API Collection

Office 365 Message Tracking is a collection of metadata about email messages sent and received within an organization, which contains information such as:

  • Sender
  • Recipient
  • Subject
  • Size
  • Status (for example, pending or delivered).

In addition to auditing, these logs can help identify messages that were delayed or failed to deliver.

The System Monitor Agent can import Office 365 Message Tracking logs into LogRhythm for analysis. This document explains how to configure the collection of Office 365 Message Tracking logs using the Web Console's cloud-to-cloud functionality. This feature is available only to LRCloud customers.


Before configuring collection from O365, do the following:

  • Make sure that the customer is an LRCloud customer and has their environment hosted.
  • Ensure that you have a valid username and password for connecting to the Office 365 reports API.
  • Check if you have the required permissions in O365 to use message trace search.

Initialize the Logs Source

  1. Log in to the Web Console as a Restricted Administrator User.
  2. On the top navigation bar, click the Administration icon 
     and select Cloud Log Collection.
  3. At the top of the Cloud Log Collection page, click New Log Source.
    The New cloud log collection dialog box appears.
  4. Select the Office 365 Message Tracking SYSMON AGENT tile.
    The Add Office 365 Message Tracking Log Source window appears.
  5. Enter the following details:



    NameEnter the name for this log source.
    Description (Optional)Enter a description for this log source.

    Enter the username of the Office 365 Admin account. If the username is an email ID, make sure that you enter the complete address.

    PasswordEnter the specified username.
  6. Click Save

A new active log source is created and accepted in the Client Console with the provided information. Collection should start automatically in few minutes.

The Platform Manager hosts all the log sources. It is recommended to create a new host entity and move the log source to the new host, which is done in the log source properties screen and not from the log source grid.

For security, the values entered are encrypted using LRCrypt.

Default Config Values for Office 365 Message Tracking Log Source


Default Value
Delay60 minutes
Window60 minutes
Frequency300 seconds
Timeout300 seconds
ErrorRetryTimeSpan60 minutes
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.