zmoog
commented
2 weeks ago With one input + routing, we can reduce the user errors metric to zero and make the fewest storage account API calls possible.
Here's the diagram to leverage routing:
- One input receives log events from the event hub
- The input publishes the log events to the
logs-azure.eventhub-defaultdata stream. - The
logs-azure.eventhub-defaultdata stream contains alogs-azure.eventhub@customcustom pipeline with rules to route log events based on the log category. - Each log event lands in the target data stream.
If the routing rules cover all incoming log categories, the logs-azure.eventhub-default data stream will be empty. However, we can set up an alarm rule to trigger a notification in case any log event doesn't have a routing rule so that we can iterate and update the logs-azure.eventhub@custom custom pipeline.
The routing option is probably the most efficient method.
Here's the source code of the logs-azure.eventhub@custom pipeline I am testing:
PUT _ingest/pipeline/logs-azure.eventhub@custom
{
"processors": [
{
"json": {
"field": "message",
"target_field": "tmp_json"
}
},
{
"set": {
"field": "routing_category",
"copy_from": "tmp_json.category",
"ignore_empty_value": true
}
},
{
"remove": {
"field": "tmp_json",
"ignore_missing": true
}
},
{
"reroute": {
"dataset": [
"azure.signinlogs"
],
"if": "ctx.routing_category == \"SignInLogs\" || ctx.routing_category == \"NonInteractiveUserSignInLogs\" || ctx.routing_category == \"ServicePrincipalSignInLogs\" || ctx.routing_category == \"ManagedIdentitySignInLogs\""
}
},
{
"reroute": {
"dataset": [
"azure.identity_protection"
],
"if": "ctx.routing_category == \"RiskyUsers\" || ctx.routing_category == \"UserRiskEvents\""
}
},
{
"reroute": {
"dataset": [
"azure.provisioning"
],
"if": "ctx.routing_category == \"ProvisioningLogs\""
}
},
{
"reroute": {
"dataset": [
"azure.auditlogs"
],
"if": "ctx.routing_category == \"AuditLogs\""
}
},
{
"reroute": {
"dataset": [
"azure.activitylogs"
],
"if": "ctx.routing_category == \"Administrative\" || ctx.routing_category == \"Security\" || ctx.routing_category == \"ServiceHealth\" || ctx.routing_category == \"Alert\" || ctx.routing_category == \"Recommendation\" || ctx.routing_category == \"Policy\" || ctx.routing_category == \"Autoscale\" || ctx.routing_category == \"ResourceHealth\""
}
},
{
"reroute": {
"dataset": [
"azure.graphactivitylogs"
],
"if": "ctx.routing_category == \"MicrosoftGraphActivityLogs\""
}
},
{
"reroute": {
"dataset": [
"azure.firewall_logs"
],
"if": "ctx.routing_category == \"AzureFirewallApplicationRule\" || ctx.routing_category == \"AzureFirewallNetworkRule\" || ctx.routing_category == \"AzureFirewallDnsProxy\" || ctx.routing_category == \"AZFWApplicationRule\" || ctx.routing_category == \"AZFWNetworkRule\" || ctx.routing_category == \"AZFWNatRule\" || ctx.routing_category == \"AZFWDnsQuery\""
}
},
{
"reroute": {
"dataset": [
"azure.application_gateway"
],
"if": "ctx.routing_category == \"ApplicationGatewayFirewallLog\" || ctx.routing_category == \"ApplicationGatewayAccessLog\""
}
}
]
}
nicpenning
Situation
The Azure Logs integration allows multiple log categories to be collected from a single event hub.
At a high level, users (1) define the event hub name and settings, and (2) the integration will use the same event hub for all the integrations.
Problem
This setup is inefficient, and we plan to change it in future releases.
Solutions
You can only use the generic integration and route logs to the right data stream using the reroute processor.