diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf index 18e3af0f..784d09fa 100644 --- a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf +++ b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf @@ -6,6 +6,14 @@ input { } } filter { + mutate{ + remove_field => [ "host", "event" ] + } + mutate{ + add_field => { "[event][module]" => "azure" } + add_field => { "[event][dataset]" => "azure.interactivesignin" } + add_field => { "[log][source][hostname]" => "%{[az][TenantId]}" } + } if [message] =~ '^{"records": \[' { json { source => "message" @@ -26,12 +34,6 @@ filter { skip_on_invalid_json => true } } - mutate{ - add_field => { "[event][module]" => "azure" } - add_field => { "[event][dataset]" => "azure.interactivesignin" } - add_field => { "[log][source][hostname]" => "%{[az][TenantId]}" } - remove_field => [ "host", "event" ] - } mutate { rename => { "[az][TenantId]" => "[cloud][account][id]" } rename => { "[az][TimeGenerated]" => "[event][ingested]" }