Skip to content

[azure logs] Add support for body.structured logs events from azurelogs encoding extension (OTel) #15891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[azure logs] Add support for body.structured logs events from azurelogs encoding extension (OTel) #15891

wants to merge 2 commits into from
+76 −1

Conversation

@zmoog
Copy link
Contributor

@zmoog zmoog commented Nov 6, 2025

Proposed commit message

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@zmoog zmoog self-assigned this Nov 6, 2025
@zmoog zmoog added Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Nov 6, 2025
@zmoog
Copy link
Contributor Author

zmoog commented Nov 6, 2025

Quick test using the Dev Tools:

Send a ResourceHealth log event as a JSON string inside message field:

POST logs-azure.events-default/_doc
{
  "@timestamp": "2025-11-06T21:44:43+01:00",
  "message": """{"category":"ResourceHealth","correlationId":"1c867fe2-050c-4a74-bb1c-a83b15246fdd","level":"Information","operationName":"Microsoft.Resourcehealth/healthevent/Updated/action","properties":{"eventCategory":"ResourceHealth","eventProperties":{"cause":"PlatformInitiated"}},"resourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration","resultType":"Updated","time":"2021-05-25T22:04:07.22Z"}"""
}

Send a ResourceHealth log event as an object inside body.structured field:

POST logs-azure.events-default/_doc
{
  "@timestamp": "2025-11-06T21:44:43+01:00",
  "body": {
    "structured": {
      "category": "ResourceHealth",
      "correlationId": "1c867fe2-050c-4a74-bb1c-a83b15246fdd",
      "level": "Information",
      "operationName": "Microsoft.Resourcehealth/healthevent/Updated/action",
      "properties": {
        "eventCategory": "ResourceHealth",
        "eventProperties": {
          "cause": "PlatformInitiated"
        }
      },
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration",
      "resultType": "Updated",
      "time": "2021-05-25T22:04:07.22Z"
    }
  }
}

GET logs-azure.activitylogs-default/_search
JSON string inside `message` field 
{
    "took": 0,
    "timed_out": false,
    "_shards": {
        "total": 1,
        "successful": 1,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 1,
            "relation": "eq"
        },
        "max_score": 1,
        "hits": [
            {
                "_index": ".ds-logs-azure.activitylogs-default-2025.11.06-000001",
                "_id": "OTH6WpoBGriDMOmNWcJf",
                "_score": 1,
                "_source": {
                    "cloud": {
                        "provider": "azure"
                    },
                    "@timestamp": "2021-05-25T22:04:07.220Z",
                    "ecs": {
                        "version": "8.11.0"
                    },
                    "related": {
                        "entity": [
                            "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        ]
                    },
                    "log": {
                        "level": "Information"
                    },
                    "data_stream": {
                        "namespace": "default",
                        "type": "logs",
                        "dataset": "azure.activitylogs"
                    },
                    "event": {
                        "agent_id_status": "missing",
                        "ingested": "2025-11-06T21:02:27Z",
                        "kind": "event",
                        "action": "Microsoft.Resourcehealth/healthevent/Updated/action",
                        "dataset": "azure.activitylogs"
                    },
                    "azure": {
                        "subscription_id": "00000000-0000-0000-0000-000000000000",
                        "resource": {
                            "provider": "Microsoft.domainRegistration",
                            "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        },
                        "correlation_id": "1c867fe2-050c-4a74-bb1c-a83b15246fdd",
                        "activitylogs": {
                            "operation_name": "Microsoft.Resourcehealth/healthevent/Updated/action",
                            "result_type": "Updated",
                            "category": "ResourceHealth",
                            "event_category": "ResourceHealth",
                            "properties": {
                                "eventProperties": {
                                    "cause": "PlatformInitiated"
                                }
                            }
                        }
                    }
                }
            }
        ]
    }
}
object inside `body.structured` field 
{
    "took": 0,
    "timed_out": false,
    "_shards": {
        "total": 1,
        "successful": 1,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 1,
            "relation": "eq"
        },
        "max_score": 1,
        "hits": [
            {
                "_index": ".ds-logs-azure.activitylogs-default-2025.11.06-000001",
                "_id": "bzH9WpoBGriDMOmN3MIt",
                "_score": 1,
                "_source": {
                    "cloud": {
                        "provider": "azure"
                    },
                    "@timestamp": "2021-05-25T22:04:07.220Z",
                    "ecs": {
                        "version": "8.11.0"
                    },
                    "related": {
                        "entity": [
                            "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        ]
                    },
                    "log": {
                        "level": "Information"
                    },
                    "data_stream": {
                        "namespace": "default",
                        "type": "logs",
                        "dataset": "azure.activitylogs"
                    },
                    "event": {
                        "agent_id_status": "missing",
                        "ingested": "2025-11-06T21:06:17Z",
                        "kind": "event",
                        "action": "Microsoft.Resourcehealth/healthevent/Updated/action",
                        "dataset": "azure.activitylogs"
                    },
                    "azure": {
                        "subscription_id": "00000000-0000-0000-0000-000000000000",
                        "resource": {
                            "provider": "Microsoft.domainRegistration",
                            "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        },
                        "correlation_id": "1c867fe2-050c-4a74-bb1c-a83b15246fdd",
                        "activitylogs": {
                            "operation_name": "Microsoft.Resourcehealth/healthevent/Updated/action",
                            "result_type": "Updated",
                            "category": "ResourceHealth",
                            "event_category": "ResourceHealth",
                            "properties": {
                                "eventProperties": {
                                    "cause": "PlatformInitiated"
                                }
                            }
                        }
                    }
                }
            }
        ]
    }
}

The search, save the result in two files, and compare them:

diff message.json body.structured.json
19c19
<                 "_id": "OTH6WpoBGriDMOmNWcJf",
---
>                 "_id": "bzH9WpoBGriDMOmN3MIt",
44c44
<                         "ingested": "2025-11-06T21:02:27Z",
---
>                         "ingested": "2025-11-06T21:06:17Z",
``

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 6, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@kaiyan-sheng
Copy link
Contributor

kaiyan-sheng commented Nov 10, 2025

The result comparison looks great! I assume we have a separate PR for routing documents from logs-azure.resourcelogs-default to the correct data streams based on log type?

@zmoog
Copy link
Contributor Author

zmoog commented Nov 13, 2025

The result comparison looks great! I assume we have a separate PR for routing documents from logs-azure.resourcelogs-default to the correct data streams based on log type?

Yep, users can route log events encoded by the azurelogs translator to the Azure Logs integration using something like #15953

@elasticmachine
Copy link

elasticmachine commented Nov 13, 2025

💚 Build Succeeded

History

cc @zmoog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@zmoog zmoog

Labels

Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zmoog @kaiyan-sheng @elasticmachine