Skip to content

[azure logs] Add support for body.structured logs events from azurelogs encoding extension (OTel) #15891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[azure logs] Add support for body.structured logs events from azurelogs encoding extension (OTel) #15891

wants to merge 1 commit into from
+36 −1

Conversation

@zmoog
Copy link
Contributor

@zmoog zmoog commented Nov 6, 2025

Proposed commit message

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@zmoog zmoog self-assigned this Nov 6, 2025
@zmoog zmoog added Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Nov 6, 2025
@zmoog
Copy link
Contributor Author

zmoog commented Nov 6, 2025

Quick test using the Dev Tools:

Send a ResourceHealth log event as a JSON string inside message field:

POST logs-azure.events-default/_doc
{
  "@timestamp": "2025-11-06T21:44:43+01:00",
  "message": """{"category":"ResourceHealth","correlationId":"1c867fe2-050c-4a74-bb1c-a83b15246fdd","level":"Information","operationName":"Microsoft.Resourcehealth/healthevent/Updated/action","properties":{"eventCategory":"ResourceHealth","eventProperties":{"cause":"PlatformInitiated"}},"resourceId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration","resultType":"Updated","time":"2021-05-25T22:04:07.22Z"}"""
}

Send a ResourceHealth log event as an object inside body.structured field:

POST logs-azure.events-default/_doc
{
  "@timestamp": "2025-11-06T21:44:43+01:00",
  "body": {
    "structured": {
      "category": "ResourceHealth",
      "correlationId": "1c867fe2-050c-4a74-bb1c-a83b15246fdd",
      "level": "Information",
      "operationName": "Microsoft.Resourcehealth/healthevent/Updated/action",
      "properties": {
        "eventCategory": "ResourceHealth",
        "eventProperties": {
          "cause": "PlatformInitiated"
        }
      },
      "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration",
      "resultType": "Updated",
      "time": "2021-05-25T22:04:07.22Z"
    }
  }
}

GET logs-azure.activitylogs-default/_search
JSON string inside `message` field 
{
    "took": 0,
    "timed_out": false,
    "_shards": {
        "total": 1,
        "successful": 1,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 1,
            "relation": "eq"
        },
        "max_score": 1,
        "hits": [
            {
                "_index": ".ds-logs-azure.activitylogs-default-2025.11.06-000001",
                "_id": "OTH6WpoBGriDMOmNWcJf",
                "_score": 1,
                "_source": {
                    "cloud": {
                        "provider": "azure"
                    },
                    "@timestamp": "2021-05-25T22:04:07.220Z",
                    "ecs": {
                        "version": "8.11.0"
                    },
                    "related": {
                        "entity": [
                            "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        ]
                    },
                    "log": {
                        "level": "Information"
                    },
                    "data_stream": {
                        "namespace": "default",
                        "type": "logs",
                        "dataset": "azure.activitylogs"
                    },
                    "event": {
                        "agent_id_status": "missing",
                        "ingested": "2025-11-06T21:02:27Z",
                        "kind": "event",
                        "action": "Microsoft.Resourcehealth/healthevent/Updated/action",
                        "dataset": "azure.activitylogs"
                    },
                    "azure": {
                        "subscription_id": "00000000-0000-0000-0000-000000000000",
                        "resource": {
                            "provider": "Microsoft.domainRegistration",
                            "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        },
                        "correlation_id": "1c867fe2-050c-4a74-bb1c-a83b15246fdd",
                        "activitylogs": {
                            "operation_name": "Microsoft.Resourcehealth/healthevent/Updated/action",
                            "result_type": "Updated",
                            "category": "ResourceHealth",
                            "event_category": "ResourceHealth",
                            "properties": {
                                "eventProperties": {
                                    "cause": "PlatformInitiated"
                                }
                            }
                        }
                    }
                }
            }
        ]
    }
}
object inside `body.structured` field 
{
    "took": 0,
    "timed_out": false,
    "_shards": {
        "total": 1,
        "successful": 1,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 1,
            "relation": "eq"
        },
        "max_score": 1,
        "hits": [
            {
                "_index": ".ds-logs-azure.activitylogs-default-2025.11.06-000001",
                "_id": "bzH9WpoBGriDMOmN3MIt",
                "_score": 1,
                "_source": {
                    "cloud": {
                        "provider": "azure"
                    },
                    "@timestamp": "2021-05-25T22:04:07.220Z",
                    "ecs": {
                        "version": "8.11.0"
                    },
                    "related": {
                        "entity": [
                            "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        ]
                    },
                    "log": {
                        "level": "Information"
                    },
                    "data_stream": {
                        "namespace": "default",
                        "type": "logs",
                        "dataset": "azure.activitylogs"
                    },
                    "event": {
                        "agent_id_status": "missing",
                        "ingested": "2025-11-06T21:06:17Z",
                        "kind": "event",
                        "action": "Microsoft.Resourcehealth/healthevent/Updated/action",
                        "dataset": "azure.activitylogs"
                    },
                    "azure": {
                        "subscription_id": "00000000-0000-0000-0000-000000000000",
                        "resource": {
                            "provider": "Microsoft.domainRegistration",
                            "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.domainRegistration"
                        },
                        "correlation_id": "1c867fe2-050c-4a74-bb1c-a83b15246fdd",
                        "activitylogs": {
                            "operation_name": "Microsoft.Resourcehealth/healthevent/Updated/action",
                            "result_type": "Updated",
                            "category": "ResourceHealth",
                            "event_category": "ResourceHealth",
                            "properties": {
                                "eventProperties": {
                                    "cause": "PlatformInitiated"
                                }
                            }
                        }
                    }
                }
            }
        ]
    }
}

The search, save the result in two files, and compare them:

diff message.json body.structured.json
19c19
<                 "_id": "OTH6WpoBGriDMOmNWcJf",
---
>                 "_id": "bzH9WpoBGriDMOmN3MIt",
44c44
<                         "ingested": "2025-11-06T21:02:27Z",
---
>                         "ingested": "2025-11-06T21:06:17Z",
``

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 6, 2025

🚀 Benchmarks report

Package azure 👍(9) 💚(2) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
platformlogs 5076.14 4273.5 -802.64 (-15.81%) 💔

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Nov 6, 2025

💚 Build Succeeded

cc @zmoog

@kaiyan-sheng
Copy link
Contributor

kaiyan-sheng commented Nov 10, 2025

The result comparison looks great! I assume we have a separate PR for routing documents from logs-azure.resourcelogs-default to the correct data streams based on log type?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@zmoog zmoog

Labels

Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zmoog @elasticmachine @kaiyan-sheng