Certain events don't trigger the dissect processor

counteractive / o365beat

Elastic Beat for fetching and shipping Office 365 audit events

Other

66 stars 27 forks source link

Certain events don't trigger the dissect processor #31

Closed GenCr closed 4 years ago

GenCr commented 4 years ago

Some events (e.g. "CrmDefaultActivity") don't trigger the dissect processor which triggers the "client.ip" field because the "ClientIP" data is in the format of "192.168.1.1:80" rather than "[192.168.1.1]:80".

Managed to fix this with an extra dissect processor entry:

  - dissect:
      field: ClientIP
      tokenizer: '%{clientip}:%{clientport}'
      when:
        contains:
          ClientIP: ':'
        not:
          contains:
            ClientIP: '['

chris-counteractive commented 4 years ago

Thank you @GenCr, you're absolutely right - a fix for this (just as you described, as well as in #16) will be in the next version.

GenCr commented 4 years ago

Ah, sorry, should have done more reading on the forum before posting!

chris-counteractive commented 4 years ago

No worries, I appreciate the engagement!

chris-counteractive commented 4 years ago

Fixed in 5224d5a, which isn't in a release yet, but it's straightforward to copy into your o365beat.yml config file (there's no changes to the beat itself) like @GenCr suggested. It'll be in the next release. Thanks!

chris-counteractive commented 4 years ago

Made a whitespace error in the yaml indentation in my previous fix ( 5224d5a00bb7f0f124255314d077af7fdd301fc2), corrected it in https://github.com/counteractive/o365beat/commit/dcdf24e4a3d4ff9fac69c3abc1c7a67e33847752. Should work fine now.