Skip to content

azure: fix Grok processor error for firewall network rule logs #13882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 12, 2025
Merged

azure: fix Grok processor error for firewall network rule logs #13882

merged 2 commits into from
May 12, 2025

Conversation

navnit-elastic
Copy link
Contributor

Proposed commit message

azure: fix Grok processor error for firewall network rule logs

This change adds an additional pattern to the Grok processor to correctly parse
"AzureFirewallNetworkRuleLog" in the "firewall_logs" data stream.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Pipeline Test:

--- Test results for package: azure - START ---
╭─────────┬───────────────┬───────────┬─────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM   │ TEST TYPE │ TEST NAME                                                           │ RESULT │ TIME ELAPSED │
├─────────┼───────────────┼───────────┼─────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-applicationrules-raw.log)            │ PASS   │ 331.739975ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-applicationrules-structured-raw.log) │ PASS   │ 320.960522ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-dnsproxy-structured-raw.log)         │ PASS   │ 340.174668ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-dnsproxyrules-raw.log)               │ PASS   │ 309.007918ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-natrule-structured-raw.log)          │ PASS   │ 301.316746ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-networkrule-structured-raw.log)      │ PASS   │ 292.435714ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-networkrules-raw.log)                │ PASS   │ 303.674919ms │
│ azure   │ firewall_logs │ pipeline  │ (ingest pipeline warnings test-sdh3075-raw.log)                     │ PASS   │  310.52456ms │
│ azure   │ firewall_logs │ pipeline  │ test-applicationrules-raw.log                                       │ PASS   │ 201.178131ms │
│ azure   │ firewall_logs │ pipeline  │ test-applicationrules-structured-raw.log                            │ PASS   │ 115.220114ms │
│ azure   │ firewall_logs │ pipeline  │ test-dnsproxy-structured-raw.log                                    │ PASS   │ 122.113529ms │
│ azure   │ firewall_logs │ pipeline  │ test-dnsproxyrules-raw.log                                          │ PASS   │ 121.810092ms │
│ azure   │ firewall_logs │ pipeline  │ test-natrule-structured-raw.log                                     │ PASS   │ 105.421656ms │
│ azure   │ firewall_logs │ pipeline  │ test-networkrule-structured-raw.log                                 │ PASS   │  93.144998ms │
│ azure   │ firewall_logs │ pipeline  │ test-networkrules-raw.log                                           │ PASS   │ 222.146382ms │
│ azure   │ firewall_logs │ pipeline  │ test-sdh3075-raw.log                                                │ PASS   │  98.235937ms │
╰─────────┴───────────────┴───────────┴─────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: azure - END   ---
Done

Related issues

Screenshots

@navnit-elastic navnit-elastic self-assigned this May 12, 2025
@navnit-elastic navnit-elastic requested review from a team as code owners May 12, 2025 07:16
@navnit-elastic navnit-elastic added Integration:azure Azure Logs bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels May 12, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 approved these changes May 12, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
50.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

cc @navnit-elastic

@navnit-elastic
Copy link
Contributor Author

Hello @efd6, This PR only contains changes to the firewall_logs data stream (security-service-integration is a CODEOWNER). Should we wait for a review from other teams before merging?

@efd6
Copy link
Contributor

efd6 commented May 12, 2025

@navnit-elastic We don't need to wait.

@efd6 efd6 merged commit 5fc7573 into elastic:main May 12, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package azure - 1.23.2 containing this change is available at https://epr.elastic.co/package/azure/1.23.2/

@JulienOrain JulienOrain mentioned this pull request May 15, 2025
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@navnit-elastic navnit-elastic

Labels
bugfix Pull request that fixes a bug issue Integration:azure Azure Logs Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Azure Logs]: AzureFirewallNetworkRuleLog - Provided Grok expressions do not match field value
3 participants
@navnit-elastic @elasticmachine @efd6