Skip to content

[azure logs] Fix sign-in logs category check#17027

Merged
zmoog merged 3 commits intomainfrom
zmoog/azure/events/fix-signin-logs-category-check
Jan 23, 2026
Merged

[azure logs] Fix sign-in logs category check#17027
zmoog merged 3 commits intomainfrom
zmoog/azure/events/fix-signin-logs-category-check

Conversation

@zmoog
Copy link
Contributor

@zmoog zmoog commented Jan 21, 2026
edited
Loading

Proposed commit message

Add an explicit check on ctx.routing?.category to make sure it's not null before calling the endsWith("SignInLogs") method.

We can't assume category is always set.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Related issues

@zmoog
Fix sign-in logs category check
4e5574b 
We can't assume category will not be null.
@zmoog zmoog self-assigned this Jan 21, 2026
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 21, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@zmoog
Check null before calling a method
7485aea 
The `?` seems to work when checking field access, but not when
checking field access 🤔
@zmoog zmoog added Integration:azure Azure Logs bugfix Pull request that fixes a bug issue Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Jan 21, 2026
@zmoog zmoog marked this pull request as ready for review January 21, 2026 17:50
@zmoog zmoog requested a review from a team as a code owner January 21, 2026 17:50
@zmoog zmoog requested review from a team as code owners January 21, 2026 17:53
@elasticmachine
Copy link

elasticmachine commented Jan 21, 2026

💚 Build Succeeded

History

cc @zmoog

@zmoog zmoog added Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jan 21, 2026
@elasticmachine
Copy link

elasticmachine commented Jan 21, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 approved these changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit only

packages/azure/data_stream/events/elasticsearch/ingest_pipeline/default.yml
value: azure.signinlogs
# Use same logic as the `signinlogs` stream that drops any document that doesn't end with `SignInLogs`.
if: 'ctx.routing?.category.endsWith("SignInLogs")'
if: 'ctx.routing?.category != null && ctx.routing?.category.endsWith("SignInLogs")'
Copy link
Contributor

@efd6 efd6 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: 'ctx.routing?.category != null && ctx.routing?.category.endsWith("SignInLogs")'
if: 'ctx.routing?.category != null && ctx.routing.category.endsWith("SignInLogs")'

Copy link
Contributor Author

@zmoog zmoog Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this pipeline guarantee the routing field? It looks like it might be optional here.

Copy link
Contributor

@mykola-elastic mykola-elastic Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we remove the question mark then we would need to add ctx.routing != null in the beginning and remove all question marks.

I think we should keep it as it is in the PR now

muthu-mps
muthu-mps reviewed Jan 22, 2026
View reviewed changes
packages/azure/data_stream/events/elasticsearch/ingest_pipeline/default.yml
value: azure.signinlogs
# Use same logic as the `signinlogs` stream that drops any document that doesn't end with `SignInLogs`.
if: 'ctx.routing?.category.endsWith("SignInLogs")'
if: 'ctx.routing?.category != null && ctx.routing?.category.endsWith("SignInLogs")'
Copy link
Contributor

@muthu-mps muthu-mps Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are not processing the logs with no category then should we drop the event which doesn't have category?

Copy link
Contributor Author

@zmoog zmoog Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Um, I think we keep the log events.

Two reasons:

  • Azure has been inconsistent in naming the field that contains the log category. So far we know they mostly usage category, but also found Category and CategoryValue in the wild. So I guess an suboptimal indexing is better than losing the log event.
  • custom routing: we recently added routing.category as candidate field for custom routing, but users may want to customize the routing based on other criteria and fields. If we drop the log event in the main pipeline, it will never reach the custom pipeline.

@zmoog zmoog merged commit bab3bcf into main Jan 23, 2026
8 checks passed
@zmoog zmoog deleted the zmoog/azure/events/fix-signin-logs-category-check branch January 23, 2026 08:29
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 23, 2026

Package azure - 1.35.1 containing this change is available at https://epr.elastic.co/package/azure/1.35.1/

jakubgalecki0 pushed a commit to jakubgalecki0/integrations that referenced this pull request Feb 19, 2026
@zmoog @jakubgalecki0
[azure logs] Fix sign-in logs category check (elastic#17027)
6ae3439 
Add an explicit check on ctx.routing?.category to make sure it's not null before calling the endsWith("SignInLogs") method.

We can't assume category is always set.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kavindu-Dodan Kavindu-Dodan Kavindu-Dodan approved these changes

@efd6 efd6 efd6 approved these changes

@muthu-mps muthu-mps muthu-mps approved these changes

@mykola-elastic mykola-elastic mykola-elastic approved these changes

Assignees

@zmoog zmoog

Labels

bugfix Pull request that fixes a bug issue Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Azure Logs]: Null def reference on set processor

6 participants

@zmoog @elasticmachine @Kavindu-Dodan @efd6 @muthu-mps @mykola-elastic