Skip to content

Commit

Permalink
[filebeat] Add preserve_original_event option to o365audit input (ela…
Browse files Browse the repository at this point in the history
…stic#26273)

* Add preserve_original_event option to o365audit input

* Use String method from MapStr

* Add test
  • Loading branch information
marc-gr authored Jun 14, 2021
1 parent 2ebf83e commit 08eaadb
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -823,6 +823,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Make `filestream` input GA. {pull}26127[26127]
- Add new `parser` to `filestream` input: `container`. {pull}26115[26115]
- Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564]
- Add `preserve_original_event` option to `o365audit` input. {pull}26273[26273]

*Heartbeat*

Expand Down
5 changes: 5 additions & 0 deletions x-pack/filebeat/docs/inputs/input-o365audit.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,11 @@ default is `2000`, as this is the server-side limit per tenant.
The maximum time window that API allows in a single query. Defaults to `24h`
to match Microsoft's documented limit.

===== `api.preserve_original_event`

Controls whether the original o365 audit object will be kept in `event.original`
or not. Defaults to `false`.

[id="{beatname_lc}-input-{type}-common-options"]
include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[]

Expand Down
4 changes: 4 additions & 0 deletions x-pack/filebeat/input/o365audit/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,10 @@ type APIConfig struct {
// duplicates.
SetIDFromAuditRecord bool `config:"set_id_from_audit_record"`

// PreserveOriginalEvent controls whether the original o365 audit object
// will be kept in `event.original` or not.
PreserveOriginalEvent bool `config:"preserve_original_event"`

// MaxQuerySize is the maximum time window that can be queried. The default
// is 24h.
MaxQuerySize time.Duration `config:"max_query_size" validate:"positive"`
Expand Down
3 changes: 3 additions & 0 deletions x-pack/filebeat/input/o365audit/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,9 @@ func (env apiEnvironment) toBeatEvent(doc common.MapStr) beat.Event {
b.SetID(id)
}
}
if env.Config.PreserveOriginalEvent {
b.PutValue("event.original", doc.String())
}
if len(errs) > 0 {
msgs := make([]string, len(errs))
for idx, e := range errs {
Expand Down
38 changes: 38 additions & 0 deletions x-pack/filebeat/input/o365audit/input_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

package o365audit

import (
"testing"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"github.com/elastic/beats/v7/libbeat/common"
)

func TestPreserveOriginalEvent(t *testing.T) {
env := apiEnvironment{
Config: APIConfig{PreserveOriginalEvent: false},
}

doc := common.MapStr{
"field1": "val1",
}

event := env.toBeatEvent(doc)

v, err := event.GetValue("event.original")
require.EqualError(t, err, "key not found")
assert.Nil(t, v)

env.Config.PreserveOriginalEvent = true

event = env.toBeatEvent(doc)

v, err = event.GetValue("event.original")
require.NoError(t, err)
assert.JSONEq(t, `{"field1":"val1"}`, v.(string))
}

0 comments on commit 08eaadb

Please sign in to comment.