search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
199 stars 429 forks source link

"Received invalid json from the Azure Cloud platform" error using the Native Azure Integration #5880

Open zmoog opened 1 year ago

zmoog commented 1 year ago

We are trying to ingest the Azure Function App logs using the Native Azure Integration.

The Elastic deployment is receiving the logs, but they all contain errors: the original JSON documents seem invalid.

Here's an example:

{
    "time": "2023-03-07T22:19:49Z",
    "resourceId": "/SUBSCRIPTIONS/9da0a0db-5764-4b7b-8c15-3d163c79cb78/RESOURCEGROUPS/MBRANCA-MALFORMED-JSON-RG/PROVIDERS/MICROSOFT.WEB/SITES/MBRANCA-HELLO-WORLD2",
    "category": "FunctionAppLogs",
    "operationName": "Microsoft.Web/sites/functions/log",
    "level": "Informational",
    "location": "East US",
    "properties": {'appName':'mbranca-hello-world2','roleInstance':'00888d1c-b4c0-4fc8-a6cd-3c713bc71ab6','message':'Executing Functions.hello (Reason=This function was programmatically called via the host APIs., Id=508349b3-5f75-41eb-8b37-93d55c2fcacb)','category':'Function.hello','hostVersion':'4.15.1.1','functionInvocationId':'c85e7a25-bade-4e7b-b596-53492d7cca9c','functionName':'Functions.hello','hostInstanceId':'9eb66127-a244-467e-b6a2-01879ad19da2','level':'Information','levelId': 2,'processId': 55,'eventId': 1,'eventName':'FunctionStarted'
    }
}

The document seems mostly fine, but the properties field contains an invalid JSON literal — it uses a single quote instead of double quotes.

We tried to send the same log category to an event hub, and the result is the same: the property field contains a single-quoted JSON object. So something is coming from the upstream service.

Here's how to reproduce the issue using the Dev Tools and the latest version of the integration:

POST _ingest/pipeline/logs-azure.platformlogs-1.5.13/_simulate
{
  "docs": [
    {
      "_source": {
        "tags": [
          "parse_message"
        ],
        "@timestamp": "2022-10-04T13:05:22.643+1300",
        "message": "{ \"time\": \"2023-04-11T13:35:20Z\", \"resourceId\": \"/SUBSCRIPTIONS/BE09D81E-9344-4E45-A3CA-D40F6448CDC2/RESOURCEGROUPS/ELASTIC-FUNCTION-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-ELASTIC-EU-FUNCTION-EXAMPLE-230411151635\", \"category\": \"FunctionAppLogs\", \"operationName\": \"Microsoft.Web/sites/functions/log\", \"level\": \"Informational\", \"location\": \"West Europe\", \"properties\": {'appName':'app-elastic-eu-function-example-230411151635','roleInstance':'7FC188BD-638167119026295850','message':'Elastic Test Function Trigger. ---- West Europe West Europe West Europe West Europe West Europe ','category':'Function.HttpTriggerJava.User','hostVersion':'4.16.5.5','functionInvocationId':'484b4eb9-8acf-44d3-9fef-d0f2176a2dd3','functionName':'HttpTriggerJava','hostInstanceId':'00b42cb0-884e-43fa-967f-17247226c07c','level':'Information','levelId':2,'processId':62}}"
      }
    }
  ]
}
zmoog commented 1 year ago

Microsoft is considering a fix on function runtime host v5, but there is no ETA yet.

botelastic[bot] commented 4 months ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!