Azure Activity Logs Agent Integration event message parsing and further field usage

Trying to understand where is the issue and what can be done regarding parsing and information further usage. Azure Activity Logs are streamed to Event Hub from where Standalone Agent (version 8.12.1) picks them up and ingests into Elasticsearch.

Configured integration:

inputs:
  - id: azure-eventhub-activitylogs
    type: azure-eventhub
    use_output: default
    data_stream:
      namespace: default
    streams:
      - data_stream:
          dataset: azure.activitylogs
          type: logs
          elasticsearch:
            dynamic_dataset: true
          connection_string: "xxx"
          storage_account_container: "xxx"
          eventhub: "xxx"
          consumer_group: "xxx"
          storage_account: "xxx"
          storage_account_key: "xxx"
          tags:
            - azure-activitylogs

Trying to understand what can be done regarding activity events message. Currently created document is not even similar to the one provided in example: Azure Activity Logs | Documentation

Created document structure using this integration:

{
   "_index": "xxx",
   "_id": "xxx",
   "_version": 1,
   "_score": 0,
   "_source": {
      "@timestamp": "xxx",
      "event": {
         "dataset": "azure.activitylogs"
      },
      "elastic_agent": {
         "version": "8.12.1",
         "id": "xxx",
         "snapshot": false
      },
      "ecs": {
         "version": "8.0.0"
      },
      "cloud": {
         "region": "westeurope",
         "provider": "azure",
         "account": {
            "id": "xxx"
         },
         "instance": {
            "name": "xxx",
            "id": "xxx"
         },
         "machine": {
            "type": "xxx"
         },
         "service": {
            "name": "xxx"
         }
      },
      "message": "{\"ReleaseVersion\":\"xx.xx.xx\",\"RoleLocation\":\"West Europe\",\"callerIpAddress\":\"xx.xx.xxx.xxx\",\"category\":\"Administrative\",\"correlationId\":\"xxx\",\"durationMs\":\"0\",\"identity\":{\"authorization\":{\"action\":\"Microsoft.ManagedIdentity/userAssignedIdentity/write\",...}}}",
      "azure": {
         "enqued_time": "xxx",
         "eventhub": "xxx",
         "consumer_group": "$Default",
         "offset": xxxx,
         "sequence_number": xxx
      },
      "tags": [
         "azure-activitylogs",
      ],
      "data_stream": {
         "namespace": "default",
         "type": logs,
         "dataset": "azure.activitylogs"
      },
      "agent": {
         "version": "8.12.1",
         "ephemeral_id": "xxx",
         "id": "xxx",
         "name": "xxx",
         "type": "filebeat",
      },
      "Similarly, here follows some JSON format information related to cloud, host.."
   }
}

However, something does not look well to me. What are options to parse "message" and use it's content for further usage in dashboards? The aim of this integration usage is to obtain events from Identity Management, Service Principal (configured diagnostic settings to stream Azure Activity Logs to event hub, then Agent picks them up). Was expecting document content similar to provided example in Azure Activity Logs integration documentation. Did I miss something crucial in configuration?

How did you configure the export of the Activity Logs to Event Hub? There are multiple ways to configure it, and depending on how the export is configured the format of the data will change to one that is different from what the integration expects.

Basically you need to export using the Export Activity Logs directly to the Event Hub.

Also, I only use fleet managed, not sure how you do with standalone agents, but did you configure it to use the azure activity logs integration or the generic event hub integration?

  1. Correct, exported Activity Logs from Azure Monitor | Activity Logs as provided in your screenshot.
    Activity Logs - > Export Activity Logs -> add Diagnostic Settings selecting supported category groups -> Stream to an event hub
  2. Standalone Agent is running on Azure k8s cluster. In elastic-agent.yaml file under input is provided configuration only for Activity Logs as in my example shared previously. No other integrations included. As a source reference for configuration creation at the very beginning I did the following:
    Visited Kibana UI integrations section -> selected Azure Activity Logs integration -> provided necessary information there -> saved configuration and at the step to add agent selected “Standalone” which allows me to use automatically generated elastic-agent.yaml.

Hi, @leandrojmp
Thinking about this case and wondering - do you have any suggestion considering provided information? At some point I understand that it is possible to create owen pipeline, but it would lead to unnecessary costs.
What else can be done to use Azure Activity Logs integration for Standalone Elastic Agent that would allow to obtain necessary message fields for dashboard creation?
Is there any other integration which would help to ingest events in a form of logs form from Azure (Managed Identity, Service Principle services) into Elastticsearch?

Hello,

Sorry, just saw this today.

If you configured the export for activity logs according to the documentaiton and the Activity Logs integration is not work, then I think that you should open an issue on Github.

But another thing that I just see now was this:

The aim of this integration usage is to obtain events from Identity Management, Service Principal (configured diagnostic settings to stream Azure Activity Logs to event hub, then Agent picks them up)

You are talking about audit logs fro Management accounts, service principals etc? Like, logins and things like that?

If I'm not wrong for this you need to use the Azure AD integration, not the Activity Log integration.

Can you share the export you configured showing the tables that are currently being exported to your event hub?

@leandrojmp The following Logs categories are streamed to an event hub.

The idea of it is to use and visualize, for example, Azure Activity Logs entries, Activity Logs by Status, Activity Logs by resource, etc. Basically everything that would help to monitor usage/activity for services such as Managed Identity, Service Principal. Since Azure does not offer metric events for them, any event coming in a form of logs could be used to do it.

Hi @s.buksa and @leandrojmp

I think there is a fundamental configuration issue that is resulting in the message not being correctly processed/ decoded.

Yes should this be easier... but this is the current state of self managed ...

First perhaps you have or perhaps you have not but I highly suggest you read this closely

consumer_group : string The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. Default value: $Default

storage_account_container : string The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See Container Names for details on naming rules from Microsoft. The integration generates a default container name if not specified.

If you go to...

https:<yourkibana>:<port>app/integrations/detail/azure-1.11.0/configs

There are sample configs with instructions to use...

View sample configurations for each of the Azure Logs integration's data streams below. Copy/paste this YML into your elastic-agent.yml file or into a file within your inputs.d directory. For more information, see the Fleet and Elastic Agent Guide

You can add this to the tags to keep the original events

preserve_original_event

inputs:
  - id: azure-eventhub-azure.eventhub
    type: azure-eventhub
    data_stream:
      dataset: azure.eventhub
    consumer_group: $Default
    tags:
      - azure-eventhub
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.auditlogs
    type: azure-eventhub
    data_stream:
      dataset: azure.auditlogs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-auditlogs
      - forwarded
      - preserve_original_event
    publisher_pipeline.disable_host: true
    sanitize_options: null

Here is the full config from the integration page

inputs:
  - id: azure-eventhub-azure.eventhub
    type: azure-eventhub
    data_stream:
      dataset: azure.eventhub
    consumer_group: $Default
    tags:
      - azure-eventhub
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.auditlogs
    type: azure-eventhub
    data_stream:
      dataset: azure.auditlogs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-auditlogs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.identity_protection
    type: azure-eventhub
    data_stream:
      dataset: azure.identity_protection
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-identity-protection-logs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.provisioning
    type: azure-eventhub
    data_stream:
      dataset: azure.provisioning
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-provisioning-logs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.signinlogs
    type: azure-eventhub
    data_stream:
      dataset: azure.signinlogs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-signinlogs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.platformlogs
    type: azure-eventhub
    data_stream:
      dataset: azure.platformlogs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-platformlogs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.activitylogs
    type: azure-eventhub
    data_stream:
      dataset: azure.activitylogs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-activitylogs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.graphactivitylogs
    type: azure-eventhub
    data_stream:
      dataset: azure.graphactivitylogs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-graphactivitylogs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.springcloudlogs
    type: azure-eventhub
    data_stream:
      dataset: azure.springcloudlogs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-springcloudlogs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.firewall_logs
    type: azure-eventhub
    data_stream:
      dataset: azure.firewall_logs
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-firewall
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null
  - id: azure-eventhub-azure.application_gateway
    type: azure-eventhub
    data_stream:
      dataset: azure.application_gateway
      type: logs
      elasticsearch:
        dynamic_dataset: true
        dynamic_namespace: true
    consumer_group: $Default
    tags:
      - azure-application-gateway-logs
      - forwarded
    publisher_pipeline.disable_host: true
    sanitize_options: null

You can also look at the code which is a templatized representation.