Filebeat Azure Module with Intune Diagnostics?

Elastic Stack Beats
,
1

Hi,

We're interested in trying out the Azure module for Filebeat in order to fetch logs from an Azure event hub. The event hub will be fed diagnostics logs from Intune.

If we look at the documentation for the Azure module (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-azure.html) it says that is has support for the following filesets:

  • ActivityLogs
  • signinLogs
  • AuditLogs

However we can see that the diagnostics settings for Intune has the following categories available to send to an Azure event hub:

  • AuditLogs
  • OperationalLogs
  • DeviceComplianceOrg

Does that mean that the Filebeat Azure module only has support for the Auditlogs and not the other two? If so, is there any way that you could recommend that we collect the logs with?

Thanks

2

We managed to use the input Azure event hub (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-eventhub.html) to solve this. However, none of the contents of the events are categorised in ECS fields, like with the existing modules.

What do you recommend to use to get the events in fields like in ECS format?

3

hi @victor.nilsson, I suggest having a look at any of the pipelines generated for the other filesets in the azure module like auditlogs and try to build a pipeline for these logs as well, assuming they share the azure platform logs common schema.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.