Skip to content

[azure] update routing for signinlogs and springcloudlogs #15807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

[azure] update routing for signinlogs and springcloudlogs #15807

wants to merge 14 commits into from
+399 −10

Conversation

@mmahacek
Copy link
Contributor

Proposed commit message

Fix for routing Azure signinlogs from Azure AD.

The "Windows Azure Active Directory" resource generates logs with the category MicrosoftServicePrincipalSignInLogs. When using the Azure Events v2 stream, these are handled as platform logs instead of as signinLogs. This PR adds routing to flag these events as the correct dataset.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Ingest data with a {"category":"MicrosoftServicePrincipalSignInLogs"} and verify the document ends up in the signinlogs dataset.

Related issues

Screenshots

@mmahacek mmahacek self-assigned this Oct 29, 2025
@mmahacek mmahacek requested review from a team as code owners October 29, 2025 18:00
@mmahacek mmahacek added Integration:azure Azure Logs bugfix Pull request that fixes a bug issue Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Oct 29, 2025
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Oct 30, 2025
efd6
efd6 reviewed Oct 30, 2025
View reviewed changes
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 30, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@zmoog
Copy link
Contributor

zmoog commented Oct 31, 2025

Hey @mmahacek, thanks for contributing this update!

I wonder if we should consider sing-in logs all *SignInLogs log categories, @kaiyan-sheng WDYT?

@andrewkroh andrewkroh added the Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] label Oct 31, 2025
@mmahacek
Copy link
Contributor Author

mmahacek commented Oct 31, 2025
edited
Loading

The signinlogs pipeline does drop any non "*signinlogs" before processing, so this does make some sense.

https://github.com/elastic/integrations/blob/main/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml#L46-L48

@mmahacek
Copy link
Contributor Author

While I'm updating routing rules, I notice that the router for springcloudlogs has a few different values:

integrations/packages/azure/data_stream/events/elasticsearch/ingest_pipeline/default.yml

Lines 106 to 110 in 80b9687

- set:
field: event.dataset
value: azure.springcloudlogs
if: 'ctx.tmp_json?.category == "ApplicationConsole" || ctx.tmp_json?.category == "SystemLogs" || ctx.tmp_json?.category == "IngressLogs" || ctx.tmp_json?.category == "BuildLogs" || ctx.tmp_json?.category == "ContainerEventLogs"'
description: 'Azure Spring Apps log categories (refs: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-logs/microsoft-appplatform-spring-logs)'

But the pipeline for that dataset only keeps two of the values:

integrations/packages/azure/data_stream/springcloudlogs/elasticsearch/ingest_pipeline/default.yml

Lines 53 to 55 in 80b9687

- drop:
if: "ctx.azure.springcloudlogs.category != 'SystemLogs' && ctx.azure.springcloudlogs.category != 'ApplicationConsole'"
ignore_failure: true

Should this be updated too?

@mmahacek
[azure] update event router to match *SignInLogs category
e56bc79 
This brings the event routing in line with the logic within the signinlogs data stream to only keep these documents.
@kaiyan-sheng
Copy link
Contributor

I wonder if we should consider sing-in logs all *SignInLogs log categories, @kaiyan-sheng WDYT?

@zmoog Yeah I think that's probably safer for whatever new signin logs Azure is going to add!

@mmahacek mmahacek changed the title [azure] add routing for MicrosoftServicePrincipalSignInLogs category [azure] update routing for signinlogs and springcloudlogs Oct 31, 2025
@mmahacek mmahacek requested a review from a team as a code owner October 31, 2025 18:21
@mmahacek mmahacek requested a review from a team as a code owner October 31, 2025 18:21
@mmahacek mmahacek marked this pull request as draft October 31, 2025 18:22
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @mmahacek

@mmahacek mmahacek marked this pull request as ready for review October 31, 2025 19:12
efd6
efd6 reviewed Nov 2, 2025
View reviewed changes
packages/azure/data_stream/events/elasticsearch/ingest_pipeline/default.yml
if: 'ctx.tmp_json?.category == "SignInLogs" || ctx.tmp_json?.category == "NonInteractiveUserSignInLogs" || ctx.tmp_json?.category == "ServicePrincipalSignInLogs" || ctx.tmp_json?.category == "ManagedIdentitySignInLogs"'
# Use same logic as the `signinlogs` stream that drops any document that doesn't end with `SignInLogs`.
if: 'ctx.tmp_json?.category.endsWith("SignInLogs")'
# if: 'ctx.tmp_json?.category == "SignInLogs" || ctx.tmp_json?.category == "NonInteractiveUserSignInLogs" || ctx.tmp_json?.category == "ServicePrincipalSignInLogs" || ctx.tmp_json?.category == "MicrosoftServicePrincipalSignInLogs" || ctx.tmp_json?.category == "ManagedIdentitySignInLogs"'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mmahacek mmahacek

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@mmahacek @zmoog @kaiyan-sheng @elasticmachine @efd6 @andrewkroh