Hello,
I use fleet integration for collect o365 audit logs and i want to collect 1 month of logs.
The "Initial Interval" parameter has maximum value of 7 days.
Is it possible to extend this duration or is there a way to retrieve the logs manually and pass them through the ingest pipeline o365 ?
Thank you for your help
No, it seems that this 7 days limitation is on Microsoft side.
In the part about the start and end time to collect the logs using the API you have this.
Both must be specified (or both omitted) and they must be no more than 24 hours apart, with the start time no more than 7 days in the past.
And in the possible errors list, you have this:
Content requested with the key {0} has already expired. Content older than 7 days cannot be retrieved.
{0} = resource id or resource URL
Thank you for your answer.
Is there another way to retrieve the logs in the right format and send them by logstash or filebeat to the o365 ingest pipeline ?
I'm not sure, I do not collect those logs.
But the time limitation seems to be a Microsoft limitation, you cannot get logs older than 7 days.
It is possible to do this via microsoft preview. But the format is in csv. What is the format expected by the ingest pipeline to be able to index logs ?
Probably json, you would need to create a json structure that matches what would be the json that the integration gets from the API.
You could enable the Integration, save the original event to see the structure and then try to create a json with the same structure.
All of this is done with external tools, so you would need to build something to do that.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.