Use Office 365 module in Logstash?

riahc3 · June 21, 2021, 11:00am

Hello

Is it possible to use the Office 365 module with Logstash?

Thanks

warkolm · June 21, 2021, 10:07pm

Do you mean the Filebeat module?

riahc3 · June 22, 2021, 7:25am

Yup.

I followed this

To attempt to do it but it doesnt seem to work correctly (Kibana doesnt display anything)

Here is my logstash:

input {
  beats {
     client_inactivity_timeout => 1200
     port => 5061
     ssl => false
#       tags => [ "filebeat" ]
  }
}

#filter

#{

 #  if [event][category] != "authentication"

 # {

 #       drop { }

 #   }
#geoip {
#        source => "[o365][audit][ClientIP]"
#      }

# }




output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://MYELASTICSTACK:9200"
      manage_template => false
      index => "filebeat-o365-login-%{+yyyy.MM.dd}"
      pipeline => "%{[@metadata][pipeline]}"
      user => "elastic"
      password => "mypassword"
    }
  } else {
    elasticsearch {
      hosts => "http://MYELASTICSTACK:9200"
      manage_template => false
      index => "filebeat-o365-login-%{+yyyy.MM.dd}"
      user => "elastic"
      password => "mypassword"
    }
  }
}

Kibana says:

Saved field "event.code" is invalid for use with the "Terms" aggregation. Please select a new field.
Saved field "event.kind" is invalid for use with the "Terms" aggregation. Please select a new field
Saved field "event.outcome" is invalid for use with the "Terms" aggregation. Please select a new field.

riahc3 · June 29, 2021, 7:21am

I think the modules wizard should be a bit more dynamic in the sense that you should be able to choose the index pattern you want to use and it should give you a list of fields where it can read data from.

system · July 27, 2021, 7:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.