O365 module: No such input type exist: 'o365audit'

sriramb12 · September 21, 2022, 9:31am

The beat is throwing this error:

Sep 21 14:57:51 xxxx.lan filebeat[17245]: {"log.level":"debug","@timestamp":"2022-09-21T14:57:51.483+0530","log.logger":"processors","log.origin":{"file.name":"processors/processor.go","file.line":121},"message":"Generated new processors: script=[type=javascript, id=, sources=/usr/share/filebeat/module/o365/audit/config/pipeline.js], condition=has_fields: [o365audit], add_fields={\"ecs\":{\"version\":\"1.12.0\"}}","service.name":"filebeat","ecs.version":"1.6.0"}
Sep 21 14:57:51 xxx.lan filebeat[17245]: {"log.level":"error","@timestamp":"2022-09-21T14:57:51.483+0530","log.logger":"reload","log.origin":{"file.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: failed to create input: Error creating input. No such input type exist: 'o365audit'","service.name":"filebeat","ecs.version":"1.6.0"}

Any pointers?
[root@xxx filebeat]# filebeat version
filebeat version 8.4.2 (amd64), libbeat 8.4.2 [b00a6bca7be493b01a134a6ad8c415f2be297414 built 2022-09-13 21:44:38 +0000 UTC]

Interestingly, the filebeat (0365 module) is working in another system running filebeat 8.2.3
All config same across these systems

sriramb12 · September 21, 2022, 9:36am

Can admins create a separate tag for each module ? I dont find the tag matching o365 (or office365) ? It may help in searching quickly

Tetiana_Kravchenko · September 21, 2022, 3:36pm

Hi @sriramb12

Maybe you are you using OSS version of filebeat? This module is only available for the non-oss version of filebeat.

sriramb12 · September 22, 2022, 3:17am

@Tetiana_Kravchenko
Thanks. I followed these steps:
setup

echo "deb https://artifacts.elastic.co/packages/oss-8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list

So it appears I have indeed installed oss-8.x ? Can this step be branched to oss/non-oss ?
Also, the lack of support for a module (say, o365) should throw a different error and may be point user to the right steps. I can file a bug ?
thanks again, for your help!
Sriram

Tetiana_Kravchenko · September 22, 2022, 7:52pm

Yes, you are using oss version, looking to the documentation - non-oss is already a default option

echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list

I wouldn't say that this is a bug, 'o365' is not available in the installed version of filebeat, this version is not aware about existence of this input.

system · October 20, 2022, 9:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.