Azure Signin data => field [message] already exists

willemdh · July 12, 2021, 4:38pm

Hello,

I've seen multiple occurences in the Azure signin logs where user.name was not populated. Those documents always have an error.message containing "field [message] already exists".

This seem like a bug.. The message field in those documents apparently has the same value as the filed azure.signinlogs.result_description, for example "Users' needs to enroll for second factor authentication (interactive)."

Sounds like a bug in the pipeline to me, ok if I make a GH issue?

Best regards,

Willem

legoguy1000 · July 13, 2021, 2:56am

It's because of this, beats/pipeline.yml at 11b545a182909de2234aed8bf2916f16f2234f5e · elastic/beats · GitHub. definitely needs to be modified. Create the issue and I can fix it.

legoguy1000 · July 13, 2021, 3:21am

When u create the GitHub issue, can u share the sample log that was being parsed that caused the issue so I can test the fix actions.

willemdh · August 4, 2021, 8:06pm

Thanks!

system · September 1, 2021, 10:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.