From 629fbece60e8284e3aae179685cba8d6737e66b6 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 26 Feb 2020 10:28:55 +0100 Subject: [PATCH] Review comments --- .../docs/inputs/input-o365audit.asciidoc | 10 +++++----- x-pack/filebeat/input/o365audit/auth/auth.go | 2 +- .../filebeat/input/o365audit/contentblob.go | 2 +- x-pack/filebeat/input/o365audit/listblobs.go | 19 ++++++++++--------- 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc index 5f6d09fc94c..aa1e5370b28 100644 --- a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc @@ -15,7 +15,6 @@ Use the `o365audit` input to retrieve audit messages from Office 365 and Azure AD activity logs. These are the same logs that are available under _Audit_ _log_ _search_ in the _Security_ _and_ _Compliance_ center. - A single input instance can be used to fetch events for multiple tenants as long as a single application is configured to access all tenants. Certificate-based authentication is recommended in this scenario. @@ -100,7 +99,7 @@ Path to the certificate's private key file for certificate-based authentication. [float] ===== `key_passphrase` -Passphrase used to unlock the private key. +Passphrase used to decrypt the private key. [float] ===== `api.authentication_endpoint` @@ -126,9 +125,10 @@ The interval to wait before polling the API server for new events. Default `3m`. ===== `api.max_requests_per_minute` -The maximum number of requests to perform every minute, for each tenant. The -current limit is `2000` requests per minute per tenant. +The maximum number of requests to perform per minute, for each tenant. The +default is `2000`, as this is the server-side limit per tenant. ===== `api.max_query_size` -The maximum time window that API allows in a single query. This is `24h`. +The maximum time window that API allows in a single query. Defaults to `24h` +to match Microsoft's documented limit. diff --git a/x-pack/filebeat/input/o365audit/auth/auth.go b/x-pack/filebeat/input/o365audit/auth/auth.go index bac0c755a89..69899e34031 100644 --- a/x-pack/filebeat/input/o365audit/auth/auth.go +++ b/x-pack/filebeat/input/o365audit/auth/auth.go @@ -20,7 +20,7 @@ type TokenProvider interface { Renew() error } -// servicePrincipalToken extends *adal.ServicePrincipalToken with the +// servicePrincipalToken extends adal.ServicePrincipalToken with the // the TokenProvider interface. type servicePrincipalToken adal.ServicePrincipalToken diff --git a/x-pack/filebeat/input/o365audit/contentblob.go b/x-pack/filebeat/input/o365audit/contentblob.go index 85c4c50fb33..8e88ee0f0fb 100644 --- a/x-pack/filebeat/input/o365audit/contentblob.go +++ b/x-pack/filebeat/input/o365audit/contentblob.go @@ -28,7 +28,7 @@ type contentBlob struct { skipLines int } -// String return a printable representation of this transaction. +// String returns a printable representation of this transaction. func (c contentBlob) String() string { return fmt.Sprintf("content blob url:%s id:%s", c.url, c.id) } diff --git a/x-pack/filebeat/input/o365audit/listblobs.go b/x-pack/filebeat/input/o365audit/listblobs.go index c08e6c95cbf..9993351080c 100644 --- a/x-pack/filebeat/input/o365audit/listblobs.go +++ b/x-pack/filebeat/input/o365audit/listblobs.go @@ -191,7 +191,7 @@ func (l listBlob) handleError(response *http.Response) (actions []poll.Action) { } case 408, 503: // Known errors when the backend is down. - //Repeat the request without reporting an error. + // Repeat the request without reporting an error. return []poll.Action{ poll.Fetch(l), } @@ -223,9 +223,9 @@ func (l listBlob) handleError(response *http.Response) (actions []poll.Action) { // retention_time(7d)+1h in the past. // On the other hand, requests can be days into the future without error. - // First check if this is caused by a request close to that's been - // queued for hours because of server being down. Repeat the request - // with updated times. + // First check if this is caused by a request close to the max retention + // period that's been queued for hours because of server being down. + // Repeat the request with updated times. now := l.env.Clock() delta := now.Sub(l.startTime) if delta > (l.env.Config.MaxRetention + 30*time.Minute) { @@ -253,15 +253,16 @@ func (l listBlob) handleError(response *http.Response) (actions []poll.Action) { return []poll.Action{ poll.Fetch(l.adjustTimes(l.startTime)), } + + // Too many requests. case "AF429": - // Too many requests. + + // Internal server error. Retry the request. case "AF50000": - // ... - // Invalid nextPage Input: {0}. + + // Invalid nextPage Input: {0}. Can be ignored. case "AF20031": - // Can be ignored. - // // AF50005-AF50006: An internal error occurred. Retry the request. case "AF50005", "AF50006": return append(actions, poll.Fetch(l))