Azure Signin data => field [message] already exists

willemdh · July 12, 2021, 4:38pm

Hello,

I've seen multiple occurences in the Azure signin logs where user.name was not populated. Those documents always have an error.message containing "field [message] already exists".

This seem like a bug.. The message field in those documents apparently has the same value as the filed azure.signinlogs.result_description, for example "Users' needs to enroll for second factor authentication (interactive)."

Sounds like a bug in the pipeline to me, ok if I make a GH issue?

Best regards,

Willem

legoguy1000 · July 13, 2021, 2:56am

It's because of this, beats/pipeline.yml at 11b545a182909de2234aed8bf2916f16f2234f5e · elastic/beats · GitHub. definitely needs to be modified. Create the issue and I can fix it.

legoguy1000 · July 13, 2021, 3:21am

When u create the GitHub issue, can u share the sample log that was being parsed that caused the issue so I can test the fix actions.

willemdh · August 4, 2021, 8:06pm

Thanks!

system · September 1, 2021, 10:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Azure module - mapper_parsing_exception for field azure.signinlogs.properties.conditional_access_audiences Beats beats-module , filebeat	1	90	June 6, 2025
Azure Filebeat User Authentications Elastic Security	1	219	November 4, 2022
Filebeat Azure plugin parsing error on azure.signinlogs.properties.authentication_requirement_policies field Beats beats-module , filebeat	1	944	January 18, 2022
Conflicts in Azure Fleet Integrations Beats filebeat , elastic-agent	4	443	October 6, 2021
Azure - Entra ID - SIgnin Logs Stopped Kibana	0	19	October 14, 2025

Azure Signin data => field [message] already exists

Related topics