Skip to content

Commit

Permalink
Filebeat: Fix o365 module issues (elastic#18948)
Browse files Browse the repository at this point in the history
- Fix scary data-loss warning on startup
- Avoid API errors being processed by the JS pipeline
- Fix dissect error about overiding client.port
- Fix module passing API settings to the input
- Document max_period using the right units

(cherry picked from commit 83bbd57)
  • Loading branch information
adriansr committed Jun 9, 2020
1 parent f952705 commit 1a9063a
Show file tree
Hide file tree
Showing 8 changed files with 13 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix PANW module wrong mappings for bytes and packets counters. {issue}18522[18522] {pull}18525[18525]
- Fixed ingestion of some Cisco ASA and FTD messages when a hostname was used instead of an IP for NAT fields. {issue}14034[14034] {pull}18376[18376]
- Fix `o365.audit` failing to ingest events when ip address is surrounded by square brackets. {issue}18587[18587] {pull}18591[18591]
- Fix `o365` module ignoring `var.api` settings. {pull}18948[18948]

*Heartbeat*

Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -852,7 +852,7 @@ filebeat.modules:
# authentication_endpoint: "https://login.microsoftonline.us/"
# resource: "https://manage.office365.us"
#
# max_retention: 7d
# max_retention: 168h
# max_requests_per_minute: 2000
# poll_interval: 3m

Expand Down
5 changes: 1 addition & 4 deletions x-pack/filebeat/input/o365audit/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,10 +114,7 @@ func (s *stateStorage) Load(key stream) (cursor, error) {
}
cur, err := s.persister.Load(key)
if err != nil {
if err != errStateNotFound {
return cur, err
}
cur = newCursor(key, time.Time{})
return newCursor(key, time.Time{}), err
}
return cur, s.saveUnsafe(cur)
}
Expand Down
8 changes: 2 additions & 6 deletions x-pack/filebeat/input/o365audit/state_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,18 +21,14 @@ func TestNoopState(t *testing.T) {
t.Run("new state", func(t *testing.T) {
st := newStateStorage(noopPersister{})
cur, err := st.Load(myStream)
if !assert.NoError(t, err) {
t.Fatal(err)
}
assert.Equal(t, errStateNotFound, err)
empty := newCursor(myStream, time.Time{})
assert.Equal(t, empty, cur)
})
t.Run("update state", func(t *testing.T) {
st := newStateStorage(noopPersister{})
cur, err := st.Load(myStream)
if !assert.NoError(t, err) {
t.Fatal(err)
}
assert.Equal(t, errStateNotFound, err)
advanced := cur.TryAdvance(content{
Type: tn,
ID: "1234",
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/o365/_meta/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,6 @@
# authentication_endpoint: "https://login.microsoftonline.us/"
# resource: "https://manage.office365.us"
#
# max_retention: 7d
# max_retention: 168h
# max_requests_per_minute: 2000
# poll_interval: 3m
6 changes: 2 additions & 4 deletions x-pack/filebeat/module/o365/audit/config/input.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,7 @@ content_type:
{{ end }}
{{ end }}
{{ if .api }}
api:
{{ range $k, $v := .api }}
- {{ $k }}: {{ $v -}}
{{ end }}
api: {{.api | tojson }}
{{ end }}

{{ else if eq .input "file" }}
Expand All @@ -49,6 +46,7 @@ processors:
- 2006-01-02T15:04:05
{{ end }}
- script:
when.has_fields: ['o365audit']
lang: javascript
id: o365audit_script
file: ${path.home}/module/o365/audit/config/pipeline.js
Expand Down
5 changes: 4 additions & 1 deletion x-pack/filebeat/module/o365/audit/config/pipeline.js
Original file line number Diff line number Diff line change
Expand Up @@ -729,7 +729,10 @@ function AuditProcessor(tenant_names, debug) {
tokenizer: '[%{_ip}]:%{port}',
field: 'client.address',
target_prefix: 'client',
'when.contains.client.address': ']:',
'when.and': [
{'not.has_fields': ['client._ip', 'client.port']},
{'contains.client.address': ']:'},
],
}));
builder.Add("extractClientIPv4Port", new processor.Dissect({
tokenizer: '%{_ip}:%{port}',
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/modules.d/o365.yml.disabled
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,6 @@
# authentication_endpoint: "https://login.microsoftonline.us/"
# resource: "https://manage.office365.us"
#
# max_retention: 7d
# max_retention: 168h
# max_requests_per_minute: 2000
# poll_interval: 3m

0 comments on commit 1a9063a

Please sign in to comment.