The production release of o365beat is available on github (check out the latest release here. We noticed a few questions about getting Office 365 logs into Graylog and wanted to post this as an option.
O365beat is an open source log shipper used to fetch Office 365 audit logs from the Office 365 Management Activity API and forward them with all the flexibility and capability provided by the beats platform. The target could be Graylog, the Elastic Stack/ELK, or another SIEM or aggregator.
The latest version includes updated documentation, a processor to map the raw API-provided events to Elastic Common Schema (ECS) fields, and a bunch of bug fixes.
There is still a lot on the to-do list and probably a few bugs. Please open an issue or submit a pull request if you notice any problems in testing or production. We’d love any feedback.
Please contact us if we can help in any way, hope this helps. Thanks!