Graylog Operations 5.3.2 Parsing O365 input

Hello

We upgraded to 5.3.2 and it has caused us some issues because of some changes in how O365 input is processed. I can see from the change log that two changes were made to O365 inputs:

–

• Improved Office 365 input error handling. graylog-plugin-enterprise-integrations#1086 graylog-plugin-enterprise#6225
• Adjusted field parsing for Office 365 input in preparation for Illuminate content. graylog-plugin-enterprise#6174 graylog-plugin-enterprise#6252
  –

All of those github links give me a 404 and I have failed to find more details searching on the issue numbers. Can anyone

a) point me at the right links so we can understand the changes
b) advise if this has caused them any issues also

thanks

Rob

Having a mad moment - I meant Graylog Operations 5.2.3

I had a look through all the notes, and hopefully this is helpful, it’s all I could find in the notes about the actual changes that would effect you

Removed fields:

• None

Added fields:

• event_created = CreationTime log value
• event_source_product = "o365"
• vendor_subtype = Workload log value
• vendor_version = Version log value

Updated fields:

• timestamp = The date/time the log was received in Graylog
• message = The is now the full raw message
• vendor_event_description = Previous value stored in message field e.x. Office 365 log event: AzureActiveDirectory: [Not Available] : [100.36.43.126] UserLoggedIn Success

Thanks Joel, that’s very helpful. Vendor_event_description is the change that caused us issues, as we did some processing based on the values in the field. Good to have clarification on what else changed.

thanks again

Rob

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.