elastic · narph · Apr 21, 2020 · Apr 10, 2020 · Apr 10, 2020 · Apr 20, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -250,6 +250,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add dashboard for Google Cloud Audit and AWS CloudTrail. {pull}17379[17379]
 - Improve ECS categorization field mappings for mysql module. {issue}16172[16172] {pull}17491[17491]
 - Release Google Cloud module as GA. {pull}17511[17511]
+- Add config option to select a different azure cloud env in the azure-eventhub input and azure module. {issue}17649[17649] {pull}17659[17659]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/modules/azure.asciidoc b/filebeat/docs/modules/azure.asciidoc
@@ -43,6 +43,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi
       connection_string: ""
       storage_account: ""
       storage_account_key: ""
+      override_resource_manager_endpoint: ""
 
    auditlogs:
      enabled: false
@@ -52,6 +53,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi
        connection_string: ""
        storage_account: ""
        storage_account_key: ""
+       override_resource_manager_endpoint: ""
 
    signinlogs:
      enabled: false
@@ -61,6 +63,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi
        connection_string: ""
        storage_account: ""
        storage_account_key: ""
+       override_resource_manager_endpoint: ""
 
 ```
 
@@ -90,6 +93,10 @@ The name of the storage account the state/offsets will be stored and updated.
 _string_
 The storage account key, this key will be used to authorize access to data in your storage account.
 
+`override_resource_manager_endpoint` ::
+_string_
+Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+
 include::../include/what-happens.asciidoc[]
 
 include::../include/gs-link.asciidoc[]

diff --git a/x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc b/x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc
@@ -28,6 +28,8 @@ Example configuration:
   storage_account: "azureeph"
   storage_account_key: "....."
   storage_account_container: ""
+  override_resource_manager_endpoint: ""
+
 ----
 
 ==== Configuration options
@@ -36,7 +38,7 @@ The `azure-eventhub` input supports the following configuration:
 
 ==== `eventhub`
 
-The name of the eventhub users would like to read from.
+The name of the eventhub users would like to read from, field required.
 
 ==== `consumer_group`
 
@@ -50,14 +52,17 @@ A Blob Storage account is required in order to store/retrieve/update the offset
 
 ==== `storage_account`
 
-The name of the storage account.
+The name of the storage account. Required.
 
 ==== `storage_account_key`
 
-The storage account key, this key will be used to authorize access to data in your storage account.
+The storage account key, this key will be used to authorize access to data in your storage account, option is required.
 
 ==== `storage_account_container`
 
 Optional, the name of the storage account container you would like to store the offset information in.
 
+==== `override_resource_manager_endpoint`
+
+Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
-==== `override_resource_manager_endpoint`
-
-Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+==== `resource_manager_endpoint`
+
+Optional, resource manager endpoint to use, defaults to the public environment, possible values are... . If a URL is provided, the environment is obtained from the URL, this is useful in Hybrid Cloud deployments.
-==== `override_resource_manager_endpoint`
-
-Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+==== `environment.name`
+
+Optional, environment to use, defaults to the public environment, possible values are... .
+
+==== `environment.url`
+
+Optional, loads the environment from a URL, this is useful in the Hybrid Cloud model. If this setting is used, `environment.name` is ignored.
-==== `override_resource_manager_endpoint`
-
-Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+==== `resource_manager_endpoint`
+
+Optional, resource manager endpoint to use, defaults to the public environment, possible values are... . If a URL is provided, the environment is obtained from the URL, this is useful in Hybrid Cloud deployments.
-==== `override_resource_manager_endpoint`
-
-Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+==== `environment.name`
+
+Optional, environment to use, defaults to the public environment, possible values are... .
+
+==== `environment.url`
+
+Optional, loads the environment from a URL, this is useful in the Hybrid Cloud model. If this setting is used, `environment.name` is ignored.
 
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -288,16 +288,18 @@ filebeat.modules:
   activitylogs:
     enabled: true
     var:
-      # Eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
+      # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
       eventhub: "insights-operational-logs"
-      # Consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
+      # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
       consumer_group: "$Default"
       # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string
       connection_string: ""
-      # the name of the storage account the state/offsets will be stored and updated.
+      # the name of the storage account the state/offsets will be stored and updated
       storage_account: ""
-      #The storage account key, this key will be used to authorize access to data in your storage account.
+      # the storage account key, this key will be used to authorize access to data in your storage account
       storage_account_key: ""
+      # by default the azure public environment is used, to override, users can provide a specific resource manager endpoint
+      override_resource_manager_endpoint: ""
 
   auditlogs:
     enabled: false
@@ -307,6 +309,7 @@ filebeat.modules:
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+ #     override_resource_manager_endpoint: ""
   signinlogs:
     enabled: false
  #   var:
@@ -315,6 +318,7 @@ filebeat.modules:
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+ #     override_resource_manager_endpoint: ""
 
 #--------------------------------- CEF Module ---------------------------------
 - module: cef

diff --git a/x-pack/filebeat/input/azureeventhub/config.go b/x-pack/filebeat/input/azureeventhub/config.go
@@ -17,6 +17,8 @@ type azureInputConfig struct {
 	SAName      string `config:"storage_account"`
 	SAKey       string `config:"storage_account_key"`
 	SAContainer string `config:"storage_account_container"`
+	// by default the azure public environment is used, to override, users can provide a specific resource manager endpoint
+	OverrideEnvironment string `config:"override_resource_manager_endpoint"`
 }
 
 const ephContainerName = "filebeat"

diff --git a/x-pack/filebeat/input/azureeventhub/eph.go b/x-pack/filebeat/input/azureeventhub/eph.go
@@ -16,14 +16,26 @@ import (
 	"github.com/Azure/go-autorest/autorest/azure"
 )
 
+// users can select from one of the already defined azure cloud envs
+var environments = map[string]azure.Environment{
+	azure.ChinaCloud.ResourceManagerEndpoint:        azure.ChinaCloud,
+	azure.GermanCloud.ResourceManagerEndpoint:       azure.GermanCloud,
+	azure.PublicCloud.ResourceManagerEndpoint:       azure.PublicCloud,
+	azure.USGovernmentCloud.ResourceManagerEndpoint: azure.USGovernmentCloud,
+}
+
 // runWithEPH will consume ingested events using the Event Processor Host (EPH) https://github.com/Azure/azure-event-hubs-go#event-processor-host, https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-event-processor-host
 func (a *azureInput) runWithEPH() error {
 	// create a new Azure Storage Leaser / Checkpointer
 	cred, err := azblob.NewSharedKeyCredential(a.config.SAName, a.config.SAKey)
 	if err != nil {
 		return err
 	}
-	leaserCheckpointer, err := storage.NewStorageLeaserCheckpointer(cred, a.config.SAName, a.config.SAContainer, azure.PublicCloud)
+	env, err := getAzureEnvironment(a.config.OverrideEnvironment)
+	if err != nil {
+		return err
+	}
+	leaserCheckpointer, err := storage.NewStorageLeaserCheckpointer(cred, a.config.SAName, a.config.SAContainer, env)
 	if err != nil {
 		return err
 	}
@@ -74,3 +86,15 @@ func (a *azureInput) runWithEPH() error {
 	}
 	return nil
 }
+
+func getAzureEnvironment(overrideResManager string) (azure.Environment, error) {
+	// if no overrride is set then the azure public cloud is used
+	if overrideResManager == "" {
+		return azure.PublicCloud, nil
+	}
+	if env, ok := environments[overrideResManager]; ok {
+		return env, nil
+	}
+	// can retrieve hybrid env from the resource manager endpoint
+	return azure.EnvironmentFromURL(overrideResManager)
+}
diff --git a/x-pack/filebeat/module/azure/_meta/config.yml b/x-pack/filebeat/module/azure/_meta/config.yml
@@ -3,16 +3,18 @@
   activitylogs:
     enabled: true
     var:
-      # Eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
+      # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
       eventhub: "insights-operational-logs"
-      # Consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
+      # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
       consumer_group: "$Default"
       # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string
       connection_string: ""
-      # the name of the storage account the state/offsets will be stored and updated.
+      # the name of the storage account the state/offsets will be stored and updated
       storage_account: ""
-      #The storage account key, this key will be used to authorize access to data in your storage account.
+      # the storage account key, this key will be used to authorize access to data in your storage account
       storage_account_key: ""
+      # by default the azure public environment is used, to override, users can provide a specific resource manager endpoint
+      override_resource_manager_endpoint: ""
 
   auditlogs:
     enabled: false
@@ -22,6 +24,7 @@
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+ #     override_resource_manager_endpoint: ""
   signinlogs:
     enabled: false
  #   var:
@@ -30,3 +33,4 @@
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+ #     override_resource_manager_endpoint: ""
diff --git a/x-pack/filebeat/module/azure/_meta/docs.asciidoc b/x-pack/filebeat/module/azure/_meta/docs.asciidoc
@@ -38,6 +38,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi
       connection_string: ""
       storage_account: ""
       storage_account_key: ""
+      override_resource_manager_endpoint: ""
 
    auditlogs:
      enabled: false
@@ -47,6 +48,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi
        connection_string: ""
        storage_account: ""
        storage_account_key: ""
+       override_resource_manager_endpoint: ""
 
    signinlogs:
      enabled: false
@@ -56,6 +58,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi
        connection_string: ""
        storage_account: ""
        storage_account_key: ""
+       override_resource_manager_endpoint: ""
 
 ```
 
@@ -85,6 +88,10 @@ The name of the storage account the state/offsets will be stored and updated.
 _string_
 The storage account key, this key will be used to authorize access to data in your storage account.
 
+`override_resource_manager_endpoint` ::
+_string_
+Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.
+
 include::../include/what-happens.asciidoc[]
 
 include::../include/gs-link.asciidoc[]

diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml
@@ -4,3 +4,4 @@ eventhub: {{ .eventhub }}
 consumer_group: {{ .consumer_group }}
 storage_account: {{ .storage_account }}
 storage_account_key: {{ .storage_account_key }}
+override_resource_manager_endpoint: {{ .override_resource_manager_endpoint }}
diff --git a/x-pack/filebeat/module/azure/activitylogs/manifest.yml b/x-pack/filebeat/module/azure/activitylogs/manifest.yml
@@ -10,6 +10,7 @@ var:
   - name: connection_string
   - name: storage_account
   - name: storage_account_key
+  - name: override_resource_manager_endpoint
 
 ingest_pipeline:
   - ingest/pipeline.json

diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml
@@ -4,4 +4,5 @@ eventhub: {{ .eventhub }}
 consumer_group: {{ .consumer_group }}
 storage_account: {{ .storage_account }}
 storage_account_key: {{ .storage_account_key }}
+override_resource_manager_endpoint: {{ .override_resource_manager_endpoint }}
 
diff --git a/x-pack/filebeat/module/azure/auditlogs/manifest.yml b/x-pack/filebeat/module/azure/auditlogs/manifest.yml
@@ -10,6 +10,7 @@ var:
   - name: connection_string
   - name: storage_account
   - name: storage_account_key
+  - name: override_resource_manager_endpoint
 
 ingest_pipeline:
   - ingest/pipeline.json

diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml
@@ -4,3 +4,4 @@ eventhub: {{ .eventhub }}
 consumer_group: {{ .consumer_group }}
 storage_account: {{ .storage_account }}
 storage_account_key: {{ .storage_account_key }}
+override_resource_manager_endpoint: {{ .override_resource_manager_endpoint }}
diff --git a/x-pack/filebeat/module/azure/signinlogs/manifest.yml b/x-pack/filebeat/module/azure/signinlogs/manifest.yml
@@ -10,6 +10,7 @@ var:
   - name: connection_string
   - name: storage_account
   - name: storage_account_key
+  - name: override_resource_manager_endpoint
 
 ingest_pipeline:
   - ingest/pipeline.json

diff --git a/x-pack/filebeat/modules.d/azure.yml.disabled b/x-pack/filebeat/modules.d/azure.yml.disabled
@@ -6,16 +6,18 @@
   activitylogs:
     enabled: true
     var:
-      # Eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
+      # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
       eventhub: "insights-operational-logs"
-      # Consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
+      # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
       consumer_group: "$Default"
       # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string
       connection_string: ""
-      # the name of the storage account the state/offsets will be stored and updated.
+      # the name of the storage account the state/offsets will be stored and updated
       storage_account: ""
-      #The storage account key, this key will be used to authorize access to data in your storage account.
+      # the storage account key, this key will be used to authorize access to data in your storage account
       storage_account_key: ""
+      # by default the azure public environment is used, to override, users can provide a specific resource manager endpoint
+      override_resource_manager_endpoint: ""
 
   auditlogs:
     enabled: false
@@ -25,6 +27,7 @@
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+ #     override_resource_manager_endpoint: ""
   signinlogs:
     enabled: false
  #   var:
@@ -33,3 +36,4 @@
  #     connection_string: ""
  #     storage_account: ""
  #     storage_account_key: ""
+ #     override_resource_manager_endpoint: ""