Grok error in official Azure integration


the Azure integration currently (I'm using 8.7.0) fails to ingest some Azure Activity Logs with IPv6 source addresses. The reason is this processor:

- grok:
    field: azure.activitylogs.callerIpAddress
      - \[%{IPORHOST:source.ip}\]:%{INT:source.port:int}
      - "%{IPORHOST:source.ip}:%{INT:source.port:int}"
      - "%{IPORHOST:source.ip}"
    ignore_missing: true
    ignore_failure: true

Given a CallerIPAddress of 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the second GROK pattern will match, yielding:

  "source": {
    "port": 0,
    "ip": "2001"

This document fails to ingest because '2001' is not an IP string literal.

I solved it by changing the order of the patterns and checking for the plain %{IPORHOST:source.ip} first.

Am I getting this right? Should I open a bug report on github?

Yes please! :smiley:

As every developer say, it's not a bug, it's a feature :slight_smile:

1 Like

I found a pull request with extensive discussion - it's not as simple as it seems! Also, fleet may install slightly different pipelines than the latest Filebeat. TIL.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.