Filebeat Azure Module with Intune Diagnostics?

victor.nilsson · September 15, 2020, 9:03am

Hi,

We're interested in trying out the Azure module for Filebeat in order to fetch logs from an Azure event hub. The event hub will be fed diagnostics logs from Intune.

If we look at the documentation for the Azure module (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-azure.html) it says that is has support for the following filesets:

ActivityLogs
signinLogs
AuditLogs

However we can see that the diagnostics settings for Intune has the following categories available to send to an Azure event hub:

AuditLogs
OperationalLogs
DeviceComplianceOrg

Does that mean that the Filebeat Azure module only has support for the Auditlogs and not the other two? If so, is there any way that you could recommend that we collect the logs with?

Thanks

victor.nilsson · September 16, 2020, 10:59am

We managed to use the input Azure event hub (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-eventhub.html) to solve this. However, none of the contents of the events are categorised in ECS fields, like with the existing modules.

What do you recommend to use to get the events in fields like in ECS format?

MarianaD · October 5, 2020, 2:23pm

hi @victor.nilsson, I suggest having a look at any of the pipelines generated for the other filesets in the azure module like auditlogs and try to build a pipeline for these logs as well, assuming they share the azure platform logs common schema.

system · November 2, 2020, 4:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.