fix logic for handling Azure logs

philhagen · Apr 6, 2021 · aa15ce3 · aa15ce3
1 parent 27fbf72
commit aa15ce3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/configfiles/6801-azure.conf b/configfiles/6801-azure.conf
@@ -67,7 +67,7 @@ filter {
 
     ### Azure SignIn Logs, in JSON format
     # https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema
-    else if [raw][category] == "SignInLogs" or [raw][category] == "ManagedIdentitySignInLogs" or [raw][category] == "NonInteractiveUserSignInLogs" {
+    if [raw][category] == "SignInLogs" or [raw][category] == "ManagedIdentitySignInLogs" or [raw][category] == "NonInteractiveUserSignInLogs" {
       date {
         match => [ "[raw][time]", "ISO8601" ]
       }
@@ -104,7 +104,7 @@ filter {
 
     ### Azure Audit Logs, in JSON format
     # https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-audit-log-schema
-    else if [raw][category] == "AuditLogs" or [raw][category] == "Audit" {
+    if [raw][category] == "AuditLogs" or [raw][category] == "Audit" {
       date {
         match => [ "[raw][time]", "ISO8601" ]
       }
@@ -144,7 +144,7 @@ filter {
 
     ### Azure Activity Logs, in JSON format
     # https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-audit-log-schema
-    else if [raw][category] == "Administrative" {
+    if [raw][category] == "Administrative" {
       date {
         match => [ "[raw][time]", "ISO8601" ]
       }
@@ -176,7 +176,7 @@ filter {
 
     ### Azure Storage Logs, in JSON foramt
     # https://docs.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference
-    else if [raw][category] == "StorageRead" {
+    if [raw][category] == "StorageRead" {
       date {
         match => [ "[raw][time]", "ISO8601" ]
       }
@@ -214,8 +214,8 @@ filter {
       }
     }
     # drop the rest - any unhandled log entries results in a current time stamp on the unparsed record
-    else if [raw][category] or [raw][System][Provider][Name] {
+    if [raw][category] or [raw][System][Provider][Name] {
       drop {}
     }
   }
-}
+}
diff --git a/configfiles/9999-output-stdout.conf b/configfiles/9999-output-stdout.conf
@@ -6,5 +6,6 @@
 output {
 #  stdout {
 #    codec => rubydebug
+#    codec => json
 #  }
 }