Azure Signin data => field [message] already exists


I've seen multiple occurences in the Azure signin logs where was not populated. Those documents always have an error.message containing "field [message] already exists".

This seem like a bug.. The message field in those documents apparently has the same value as the filed azure.signinlogs.result_description, for example "Users' needs to enroll for second factor authentication (interactive)."

Sounds like a bug in the pipeline to me, ok if I make a GH issue?

Best regards,


It's because of this, beats/pipeline.yml at 11b545a182909de2234aed8bf2916f16f2234f5e · elastic/beats · GitHub. definitely needs to be modified. Create the issue and I can fix it.

When u create the GitHub issue, can u share the sample log that was being parsed that caused the issue so I can test the fix actions.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.