Hello
Is it possible to use the Office 365 module with Logstash?
Thanks
Do you mean the Filebeat module?
Yup.
I followed this
To attempt to do it but it doesnt seem to work correctly (Kibana doesnt display anything)
Here is my logstash:
input {
beats {
client_inactivity_timeout => 1200
port => 5061
ssl => false
# tags => [ "filebeat" ]
}
}
#filter
#{
# if [event][category] != "authentication"
# {
# drop { }
# }
#geoip {
# source => "[o365][audit][ClientIP]"
# }
# }
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => "http://MYELASTICSTACK:9200"
manage_template => false
index => "filebeat-o365-login-%{+yyyy.MM.dd}"
pipeline => "%{[@metadata][pipeline]}"
user => "elastic"
password => "mypassword"
}
} else {
elasticsearch {
hosts => "http://MYELASTICSTACK:9200"
manage_template => false
index => "filebeat-o365-login-%{+yyyy.MM.dd}"
user => "elastic"
password => "mypassword"
}
}
}
Kibana says:
Saved field "event.code" is invalid for use with the "Terms" aggregation. Please select a new field.
Saved field "event.kind" is invalid for use with the "Terms" aggregation. Please select a new field
Saved field "event.outcome" is invalid for use with the "Terms" aggregation. Please select a new field.
I think the modules wizard should be a bit more dynamic in the sense that you should be able to choose the index pattern you want to use and it should give you a list of fields where it can read data from.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.