[Azure Logs]: AzureFirewallNetworkRuleLog - Provided Grok expressions do not match field value #13096
Description
Integration Name
Azure Logs [azure]
Dataset Name
azure.firewall_logs
Integration Version
1.23.0
Agent Version
8.17.2
Agent Output Type
elasticsearch
Elasticsearch Version
8.17.2
OS Version and Architecture
Ubuntu 22.04.5 LTS
Software/API Version
N/A
Error Message
Provided Grok expressions do not match field value: [TCP request from xx.xx.xx.xx:xxxxx to xx.xx.xx.xx:xxx. Action: Allow.. Rule Collection: Permit_RFC1918. Rule: Permit_RFC1918] conditional
Event Original
{"category":"AzureFirewallNetworkRule","operationName":"AzureFirewallNetworkRuleLog","properties":{"msg":"TCP request from xx.xx.xx.xx:xxxxx to xx.xx.xx.xx:xxx. Action: Allow.. Rule Collection: Permit_RFC1918. Rule: Permit_RFC1918"},"resourceId":"/SUBSCRIPTIONS/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/RESOURCEGROUPS/RG-XXXXX-001/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/FW-XXXXX-001","time":"2025-03-13T07:11:59.992099+00:00"}
What did you do?
Activated the Collect Azure Firewall Network rule logs using azure-eventhub input.
What did you see?
Some AzureFirewallNetworkRuleLog were not parsed correctly.
What did you expect to see?
Expected the message to be parsed.
Anything else?
Workaround: added the following grok pattern to the "first" grok processor from the top in the logs-azure.firewall_logs-1.23.0 pipeline.
Grok pattern:
^%{DATA:azure.firewall.proto} request from %{IPORHOST:source.address}:%{NUMBER:source.port:long} to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long}. Action: %{DATA:azure.firewall.action}.. Rule Collection: %{DATA:rule.ruleset}. Rule: %{DATA:rule.name}$