robp1234
(Robp1234)
February 12, 2024, 9:43am
1
Hello
We upgraded to 5.3.2 and it has caused us some issues because of some changes in how O365 input is processed. I can see from the change log that two changes were made to O365 inputs:
–
All of those github links give me a 404 and I have failed to find more details searching on the issue numbers. Can anyone
a) point me at the right links so we can understand the changes
b) advise if this has caused them any issues also
thanks
Rob
1 Like
robp1234
(Robp1234)
February 13, 2024, 1:42pm
2
Having a mad moment - I meant Graylog Operations 5.2.3
I had a look through all the notes, and hopefully this is helpful, it’s all I could find in the notes about the actual changes that would effect you
Removed fields:
Added fields:
event_created
= CreationTime
log value
event_source_product
= "o365"
vendor_subtype
= Workload
log value
vendor_version
= Version
log value
Updated fields:
timestamp
= The date/time the log was received in Graylog
message
= The is now the full raw message
vendor_event_description
= Previous value stored in message
field e.x. Office 365 log event: AzureActiveDirectory: [Not Available] : [100.36.43.126] UserLoggedIn Success
robp1234
(Robp1234)
February 19, 2024, 9:57am
4
Thanks Joel, that’s very helpful. Vendor_event_description is the change that caused us issues, as we did some processing based on the values in the field. Good to have clarification on what else changed.
thanks again
Rob
system
(system)
Closed
March 4, 2024, 9:58am
5
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.