Review comments

x-pack/filebeat/docs/inputs/input-o365audit.asciidoc

@@ -15,7 +15,6 @@ Use the `o365audit` input to retrieve audit messages from Office 365
 and Azure AD activity logs. These are the same logs that are available under
 _Audit_ _log_ _search_ in the _Security_ _and_ _Compliance_ center.
 
-
 A single input instance can be used to fetch events for multiple tenants as long
 as a single application is configured to access all tenants. Certificate-based
 authentication is recommended in this scenario.
@@ -100,7 +99,7 @@ Path to the certificate's private key file for certificate-based authentication.
 [float]
 ===== `key_passphrase`
 
-Passphrase used to unlock the private key.
+Passphrase used to decrypt the private key.
 
 [float]
 ===== `api.authentication_endpoint`
@@ -126,9 +125,10 @@ The interval to wait before polling the API server for new events. Default `3m`.
 
 ===== `api.max_requests_per_minute`
 
-The maximum number of requests to perform every minute, for each tenant. The
-current limit is `2000` requests per minute per tenant.
+The maximum number of requests to perform per minute, for each tenant. The
+default is `2000`, as this is the server-side limit per tenant.
 
 ===== `api.max_query_size`
 
-The maximum time window that API allows in a single query. This is `24h`.
+The maximum time window that API allows in a single query. Defaults to `24h`
+to match Microsoft's documented limit.

x-pack/filebeat/input/o365audit/auth/auth.go

@@ -20,7 +20,7 @@ type TokenProvider interface {
 	Renew() error
 }
 
-// servicePrincipalToken extends *adal.ServicePrincipalToken with the
+// servicePrincipalToken extends adal.ServicePrincipalToken with the
 // the TokenProvider interface.
 type servicePrincipalToken adal.ServicePrincipalToken
 

x-pack/filebeat/input/o365audit/contentblob.go

@@ -28,7 +28,7 @@ type contentBlob struct {
 	skipLines int
 }
 
-// String return a printable representation of this transaction.
+// String returns a printable representation of this transaction.
 func (c contentBlob) String() string {
 	return fmt.Sprintf("content blob url:%s id:%s", c.url, c.id)
 }

x-pack/filebeat/input/o365audit/listblobs.go

@@ -191,7 +191,7 @@ func (l listBlob) handleError(response *http.Response) (actions []poll.Action) {
 		}
 	case 408, 503:
 		// Known errors when the backend is down.
-		//Repeat the request without reporting an error.
+		// Repeat the request without reporting an error.
 		return []poll.Action{
 			poll.Fetch(l),
 		}
@@ -223,9 +223,9 @@ func (l listBlob) handleError(response *http.Response) (actions []poll.Action) {
 		// retention_time(7d)+1h in the past.
 		// On the other hand, requests can be days into the future without error.
 
-		// First check if this is caused by a request close to  that's been
-		// queued for hours because of server being down. Repeat the request
-		// with updated times.
+		// First check if this is caused by a request close to the max retention
+		// period that's been queued for hours because of server being down.
+		// Repeat the request with updated times.
 		now := l.env.Clock()
 		delta := now.Sub(l.startTime)
 		if delta > (l.env.Config.MaxRetention + 30*time.Minute) {
@@ -253,15 +253,16 @@ func (l listBlob) handleError(response *http.Response) (actions []poll.Action) {
 		return []poll.Action{
 			poll.Fetch(l.adjustTimes(l.startTime)),
 		}
+
+	// Too many requests.
 	case "AF429":
-		// Too many requests.
+
+	// Internal server error. Retry the request.
 	case "AF50000":
-		// ...
-	// Invalid nextPage Input: {0}.
+
+	// Invalid nextPage Input: {0}. Can be ignored.
 	case "AF20031":
-		// Can be ignored.
 
-	//
 	// AF50005-AF50006: An internal error occurred. Retry the request.
 	case "AF50005", "AF50006":
 		return append(actions, poll.Fetch(l))