Office 365 Module , Filebeat, Logstash, and Elastic Search

riahc3 · June 17, 2021, 8:26am

Im current using the Office 365 module but Im having several issues.

First, I use Logstash for processsing (mostly because I put data in daily indexes). All I do in Logstash is take the data and pass it to Elasticsearch. No filtering or anything.

The data Im getting is only AzureActiveDirectory type....I dont see any signins of type Exchange, Sharepoint, etc.

Also, when I try to get the built in dashboard it does see my data (module says that it is recieving data) BUT it does not load/look correctly. From what I am seeing, it tries loading from filebeat-* when it should be loading from another index (as I named it differently)

Can someone help me out on the Office 365 Module and using it with Logstash? Thanks.

riahc3 · June 17, 2021, 3:31pm

Ive also tried setting it up without Logstash (Filebeat -> Elasticsearch).

I go to Kibana and Add Data. Select the Office 365 module. Configure it and it says I am receiving data. I open up the dashboard and.....Nothing.

Errors that I cannot groups event.x by "Terms"

warkolm · June 18, 2021, 2:40am

Yep, that's the most likely cause. You will need to edit the dashboards to use the new index name.

riahc3 · June 18, 2021, 7:38am

Yeah and it seems pretty easy, edit the dashboard and then edit the panel.....

The thing is that the panel is pointing to a "saved search"; I attempted to change said saved search, changing the index and then overwriting said saved search (not a fan of overwriting defaults but) but it gave the error that event.code cannot be aggregated by "Terms". Choose another field.

I believe the add data of Kibana and using the wizard (so to speak) by itself isnt working because Im using Logstash instead of just using Filebeat -> Elasticsearch.

system · July 16, 2021, 7:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.