Error parsing Audit.AzureActiveDirectory (other content types work fine)

[jheidecker]

Dec 10 07:58:45 testhost o365beat[11770]: 2019-12-10T07:58:45.130Z#011WARN#011elasticsearch/client.go:535#011Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0x0, ext:63711558741, loc:(*time.Location)(nil)}, Meta:common.MapStr(nil), Fields:common.MapStr{"Actor":[]interface {}{common.MapStr{"ID":"6f7dc456-1e61-4b2a-a913-4d3d69d30570", "Type":0}, common.MapStr{"ID":"user@contoso.com", "Type":5}, common.MapStr{"ID":"10037FFE91234567", "Type":3}}, "ActorContextId":"9383ac17-fa44-43b4-b883-6ac627ac89ed", "ActorIpAddress":"10.10.10.10", "ApplicationId":"5e3ce6c0-2b1f-4285-8d4b-75ee78787346", "AzureActiveDirectoryEventType":1, "ClientIP":"10.10.10.10", "CreationTime":"2019-12-10T07:12:21", "ExtendedProperties":"[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"} {\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"} {\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"} {\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"} {\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}]", "Id":"07aa789d-5426-4f10-8318-8dfc6288e1d8", "InterSystemsId":"3e90d4d1-956e-45ed-b56e-f57d5d763138", "IntraSystemId":"c4fae13d-1a46-42e8-b733-2f900d914102", "ModifiedProperties":"[]", "ObjectId":"4580fd1d-e5a3-4f56-9ad1-aab0e3bf8f76", "Operation":"UserLoggedIn", "OrganizationId":"8196ac17-fa44-43b4-b883-6ac627ac67ca", "RecordType":15, "ResultStatus":"Succeeded", "SupportTicketId":"", "Target":[]interface {}{common.MapStr{"ID":"1234cd1d-e5a3-4f56-9ad1-bba0e3bf8f76", "Type":0}}, "TargetContextId":"8196ac17-fa44-43b4-b883-6ac627ac67ca", "UserId":"user@contoso.com", "UserKey":"10037FFE9A551234@contoso.com", "UserType":0, "Version":1, "Workload":"AzureActiveDirectory", "agent":common.MapStr{"ephemeral_id":"12348684-45a5-486f-8e66-8330a6ef4567", "hostname":"testhost", "id":"03c971b4-cd4d-4d7e-a4b9-c24b5d6f56b5", "type":"o365beat", "version":"1.4.3"}, "client":common.MapStr{"ip":"10.10.10.10"}, "cloud":common.MapStr{"account":common.MapStr{"id":"8196ac17-fa44-43b4-b883-6ac627ac67ca"}}, "ecs":common.MapStr{"version":"1.1.0"}, "event":common.MapStr{"action":"UserLoggedIn", "category":"AzureActiveDirectory", "code":"15", "id":"099a789d-5426-4f10-8318-8dfc6277e1d8", "outcome":"Succeeded"}, "host":common.MapStr{"name":"testhost"}, "user":common.MapStr{"id":"user@contoso.com"}}, Private:interface {}(nil), TimeSeries:false}, Flags:0x0} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [ExtendedProperties] tried to parse field [ExtendedProperties] as object, but found a concrete value"}

[jheidecker]

Oddly enough, this seemed to be working only a few days ago. Not sure if m$ changed something, but curious if something stands out to developer before we troubleshoot.

[chris-counteractive]

Hmm, I'm not sure why this would arbitrarily stop working - this should be covered by the ExtendedProperties processor we added in abb66258877a1325a18088b763749d85a9ca8bdc. Would you mind confirming a couple things about your config?:

1. Do you have the ExtendedProperties processor in your processors section, something like this:

   processors:
     - convert:
         fields:
           # bunch of other converters ...
           - {from: ExtendedProperties, type: string}

2. Do you perhaps have the annoying second processors section shadowing your "main" processors? If so, it needs to be deleted, commented out, or merged. It looks like this:

   processors:
     - add_host_metadata: ~
     - add_cloud_metadata: ~

See my comment in issue #23 for more info on that possibility.

Were there any changes to your config, or did this just come out of nowhere? Thanks for the feedback, I'm looking forward to getting everything back on track for you.

[jheidecker]

I think now that it is something with ES, and not the beat. After deleting the index, it started working again. Still trying to figure out what the root cause was. Will update you when I figure it out.