Closed GenCr closed 4 years ago
Thank you @GenCr, you're absolutely right - a fix for this (just as you described, as well as in #16) will be in the next version.
Ah, sorry, should have done more reading on the forum before posting!
No worries, I appreciate the engagement!
Fixed in 5224d5a, which isn't in a release yet, but it's straightforward to copy into your o365beat.yml
config file (there's no changes to the beat itself) like @GenCr suggested. It'll be in the next release. Thanks!
Made a whitespace error in the yaml indentation in my previous fix ( 5224d5a00bb7f0f124255314d077af7fdd301fc2), corrected it in https://github.com/counteractive/o365beat/commit/dcdf24e4a3d4ff9fac69c3abc1c7a67e33847752. Should work fine now.
Some events (e.g. "CrmDefaultActivity") don't trigger the dissect processor which triggers the "client.ip" field because the "ClientIP" data is in the format of "192.168.1.1:80" rather than "[192.168.1.1]:80".
Managed to fix this with an extra dissect processor entry: