Skip to content

[azure] update routing for signinlogs and springcloudlogs#15807

Merged
mmahacek merged 20 commits intomainfrom
mm/azure-aad-signin
Dec 17, 2025
Merged

[azure] update routing for signinlogs and springcloudlogs#15807
mmahacek merged 20 commits intomainfrom
mm/azure-aad-signin

Conversation

@mmahacek
Copy link
Contributor

@mmahacek mmahacek commented Oct 29, 2025

Proposed commit message

Fix for routing Azure signinlogs from Azure AD.

The "Windows Azure Active Directory" resource generates logs with the category MicrosoftServicePrincipalSignInLogs. When using the Azure Events v2 stream, these are handled as platform logs instead of as signinLogs. This PR adds routing to flag these events as the correct dataset.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Ingest data with a {"category":"MicrosoftServicePrincipalSignInLogs"} and verify the document ends up in the signinlogs dataset.

Related issues

Screenshots

@mmahacek mmahacek self-assigned this Oct 29, 2025
@mmahacek mmahacek requested review from a team as code owners October 29, 2025 18:00
@mmahacek mmahacek added Integration:azure Azure Logs bugfix Pull request that fixes a bug issue Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Oct 29, 2025
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Oct 30, 2025
efd6
efd6 reviewed Oct 30, 2025
View reviewed changes
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 30, 2025
edited
Loading

🚀 Benchmarks report

Package azure 👍(2) 💚(5) 💔(5)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
signinlogs 2583.98 2004.01 -579.97 (-22.44%) 💔
springcloudlogs 8064.52 5464.48 -2600.04 (-32.24%) 💔
eventhub 500000 250000 -250000 (-50%) 💔
identity_protection 6666.67 4784.69 -1881.98 (-28.23%) 💔
platformlogs 5263.16 4273.5 -989.66 (-18.8%) 💔

To see the full report comment with /test benchmark fullreport

@zmoog
Copy link
Contributor

zmoog commented Oct 31, 2025

Hey @mmahacek, thanks for contributing this update!

I wonder if we should consider sing-in logs all *SignInLogs log categories, @kaiyan-sheng WDYT?

@andrewkroh andrewkroh added the Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] label Oct 31, 2025
@mmahacek
Copy link
Contributor Author

mmahacek commented Oct 31, 2025
edited
Loading

The signinlogs pipeline does drop any non "*signinlogs" before processing, so this does make some sense.

https://github.com/elastic/integrations/blob/main/packages/azure/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml#L46-L48

@mmahacek
Copy link
Contributor Author

mmahacek commented Oct 31, 2025

While I'm updating routing rules, I notice that the router for springcloudlogs has a few different values:

integrations/packages/azure/data_stream/events/elasticsearch/ingest_pipeline/default.yml

Lines 106 to 110 in 80b9687

- set:
field: event.dataset
value: azure.springcloudlogs
if: 'ctx.tmp_json?.category == "ApplicationConsole" || ctx.tmp_json?.category == "SystemLogs" || ctx.tmp_json?.category == "IngressLogs" || ctx.tmp_json?.category == "BuildLogs" || ctx.tmp_json?.category == "ContainerEventLogs"'
description: 'Azure Spring Apps log categories (refs: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-logs/microsoft-appplatform-spring-logs)'

But the pipeline for that dataset only keeps two of the values:

integrations/packages/azure/data_stream/springcloudlogs/elasticsearch/ingest_pipeline/default.yml

Lines 53 to 55 in 80b9687

- drop:
if: "ctx.azure.springcloudlogs.category != 'SystemLogs' && ctx.azure.springcloudlogs.category != 'ApplicationConsole'"
ignore_failure: true

Should this be updated too?

@mmahacek
[azure] update event router to match *SignInLogs category
e56bc79 
This brings the event routing in line with the logic within the signinlogs data stream to only keep these documents.
@kaiyan-sheng
Copy link
Contributor

kaiyan-sheng commented Oct 31, 2025

I wonder if we should consider sing-in logs all *SignInLogs log categories, @kaiyan-sheng WDYT?

@zmoog Yeah I think that's probably safer for whatever new signin logs Azure is going to add!

@mmahacek mmahacek changed the title [azure] add routing for MicrosoftServicePrincipalSignInLogs category [azure] update routing for signinlogs and springcloudlogs Oct 31, 2025
@mmahacek mmahacek requested a review from a team as a code owner October 31, 2025 18:21
@mmahacek mmahacek requested a review from a team as a code owner October 31, 2025 18:21
@mmahacek mmahacek marked this pull request as draft October 31, 2025 18:22
@mmahacek mmahacek marked this pull request as ready for review October 31, 2025 19:12
@mmahacek
Copy link
Contributor Author

mmahacek commented Nov 6, 2025

😅 Another update came in for this integration. Pushing a version bump - should be no other functional changes.

@mmahacek mmahacek enabled auto-merge (squash) November 6, 2025 17:38
@mmahacek
Copy link
Contributor Author

mmahacek commented Nov 6, 2025

@elastic/obs-ds-hosted-services This is ready for a code owners approval. Thanks in advance!

kaiyan-sheng
kaiyan-sheng reviewed Nov 10, 2025
View reviewed changes
@rwestECI
Copy link

rwestECI commented Nov 25, 2025

Any update here guys? My org is the one who reported this and needs it resolved.

@rwestECI
Copy link

rwestECI commented Dec 16, 2025

Still waiting for this to be merged.

@btrieger
Copy link
Contributor

btrieger commented Dec 16, 2025

#16538 which I have added adds another source type for a SignInLog. Can modify my PR after this is merged to only add the new fields.

@elasticmachine
Copy link

elasticmachine commented Dec 17, 2025

💚 Build Succeeded

History

cc @mmahacek

@mmahacek mmahacek merged commit ba2714f into main Dec 17, 2025
8 checks passed
@mmahacek mmahacek deleted the mm/azure-aad-signin branch December 17, 2025 21:02
@mmahacek mmahacek mentioned this pull request Dec 17, 2025
Open
5 tasks
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 17, 2025

Package azure - 1.32.0 containing this change is available at https://epr.elastic.co/package/azure/1.32.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng left review comments

@efd6 efd6 efd6 left review comments

@zmoog zmoog zmoog approved these changes

@ishleenk17 ishleenk17 ishleenk17 approved these changes

@mykola-elastic mykola-elastic mykola-elastic approved these changes

Assignees

@mmahacek mmahacek

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@mmahacek @zmoog @kaiyan-sheng @rwestECI @btrieger @elasticmachine @efd6 @ishleenk17 @mykola-elastic @andrewkroh