Skip to content

[azure] Add support for new Audit Log format#15841

Open
devamanv wants to merge 3 commits intoelastic:mainfrom
devamanv:audit-logs-new-format-support
Open

[azure] Add support for new Audit Log format#15841
devamanv wants to merge 3 commits intoelastic:mainfrom
devamanv:audit-logs-new-format-support

Conversation

@devamanv
Copy link
Contributor

@devamanv devamanv commented Nov 2, 2025
edited
Loading

Proposed commit message

The PR adds support for new Audit Log format as seen here.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

@devamanv devamanv self-assigned this Nov 2, 2025
@devamanv devamanv added enhancement New feature or request Integration:azure Azure Logs labels Nov 2, 2025
@devamanv devamanv requested review from a team as code owners November 2, 2025 21:07
@devamanv devamanv added the Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] label Nov 2, 2025
@devamanv devamanv requested a review from a team as a code owner November 2, 2025 21:07
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 2, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Nov 2, 2025

💚 Build Succeeded

cc @devamanv

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Nov 3, 2025
@muthu-mps muthu-mps requested a review from lucian-ioan November 4, 2025 14:43
muthu-mps
muthu-mps reviewed Nov 17, 2025
View reviewed changes
packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml
ignore_missing: true
- rename:
field: azure.auditlogs.properties.AdditionalDetails
target_field: azure.auditlogs.properties.additional_details_as_string
Copy link
Contributor

@muthu-mps muthu-mps Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this field renamed to additional_details?

packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml
ignore_missing: true
- rename:
field: azure.auditlogs.properties.Category
target_field: azure.auditlogs.properties.category_code
Copy link
Contributor

@muthu-mps muthu-mps Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we adopt the same field naming pattern from Azure and convert it to snake_case?
azure.auditlogs.properties.category

packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml
ignore_missing: true
- rename:
field: azure.auditlogs.properties.ActivityDate
target_field: azure.auditlogs.properties.activity_datetime
Copy link
Contributor

@muthu-mps muthu-mps Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be activity_date? The below field is already processing activity_datetime.

packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml
field: azure.auditlogs.properties.Actor.ApplicationName
target_field: azure.auditlogs.properties.actor.application_name
ignore_missing: true
if: ctx.azure?.auditlogs?.properties?.Actor?.ApplicationName != null
Copy link
Contributor

@muthu-mps muthu-mps Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to add null check for some rename processor and not for the other processors?

packages/azure/data_stream/auditlogs/fields/fields.yml
type: keyword
description: Name of the modified property.
- name: new
type: text
Copy link
Contributor

@muthu-mps muthu-mps Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think that the value for this field will exceed the keyword limit?
same applies to old as well.

...ages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log-expected.json
"33EE33AB6B081AAE8D3393611F5BEF6FF19B60489"
],
"targets": {
"0": {
Copy link
Contributor

@muthu-mps muthu-mps Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The targets should emit list of modified_properties. Can you check why there is an additional value 0? Similarly for modified_properties as well.

@botelastic
Copy link

botelastic bot commented Dec 17, 2025

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Dec 17, 2025
@botelastic
Copy link

botelastic bot commented Jan 16, 2026

Hi! This PR has been stale for a while and we're going to close it as part of our cleanup procedure. We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team. Feel free to re-open this PR if you think it should stay open and is worth rebasing. Thank you for your contribution!

@botelastic botelastic bot closed this Jan 16, 2026
@devamanv devamanv reopened this Jan 16, 2026
@botelastic botelastic bot removed the Stalled label Jan 16, 2026
@botelastic
Copy link

botelastic bot commented Feb 15, 2026

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Feb 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@muthu-mps muthu-mps muthu-mps left review comments

@lucian-ioan lucian-ioan Awaiting requested review from lucian-ioan

At least 1 approving review is required to merge this pull request.

Assignees

@devamanv devamanv

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:azure Azure Logs Stalled Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@devamanv @elasticmachine @muthu-mps @andrewkroh