Hello,
I have O365 logs coming in to my logstash via the O365 filebeat module. I am trying to create two outputs :
- Elasticsearch output
- S3 bucket output
The S3 bucket output requires a "message" field to be present. For other log sources I used a mutate filter to create the "message" field if required, and move the raw event to "message".
But for O365 there is no such raw event. I know that I want to move the nested o365.audit JSON object to the message field. But im not sure how to do it (tried many possible ways to do so)
sample o365.audit field
"o365": {
"audit": {
"RecordType": x,
"Parameters": {
"SyncMailboxLocationGuids": "x",
"Identity": "x",
"WarningAction": "x",
"ErrorAction": "x"
},
"ObjectId": "x",
"OriginatingServer": "x",
"UserKey": "x",
"CreationTime": "x",
"Version": x,
"UserType": x,
"UserId": "x",
"ClientAppId": "",
"OrganizationId": "x",
"AppId": "",
"Operation": "x",
"ExternalAccess": x,
"Id": "x",
"OrganizationName": "x",
"Workload": "x",
"ResultStatus": "x"
}
},
"event": {
"action": "x",
"id": "x",
"type": "x",
"provider": "x",
"code": "x",
"dataset": "x",
"kind": "x",
"module": "x",
"category": "x",
"outcome": "x"
},
"host": {
"name": "x",
"id": "x"
},
"@version": "x",
"fileset": {
"name": "x"
},
"@timestamp": "x"
},
"fields": {
"@timestamp": [
"x"
],
"o365.audit.CreationTime": [
"x"
]
},
"sort": [
x
]
}
Any suggestions will be appreciated!
