Skip to content

Kubernetes.audit_logs: fix processing of Azure AKS audit logs #15585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 8, 2025
Merged

Kubernetes.audit_logs: fix processing of Azure AKS audit logs #15585

merged 7 commits into from
Oct 8, 2025

Conversation

chemamartinez
Copy link
Contributor

Proposed commit message

Azure AKS audit logs forwarded through Azure Eventhub are wrapped with an Azure envelope that follows this schema.

This PR fixes the audit_logs ingest pipeline to extract the audit log from the Azure resource log, as well as adding the Azure metadata as a new object called aks_metadata.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@chemamartinez chemamartinez self-assigned this Oct 7, 2025
@chemamartinez chemamartinez added Integration:kubernetes Kubernetes bugfix Pull request that fixes a bug issue labels Oct 7, 2025
@chemamartinez chemamartinez marked this pull request as ready for review October 7, 2025 08:48
@chemamartinez chemamartinez requested a review from a team as a code owner October 7, 2025 08:48
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

zmoog
zmoog reviewed Oct 7, 2025
View reviewed changes
Copy link
Contributor

@zmoog zmoog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good at first glance. I'm trying it out on my local cluster.

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Oct 7, 2025
@zmoog
Copy link
Contributor

zmoog commented Oct 7, 2025

@chemamartinez, I set up a Diagnostic Setting to send "Kubernetes Audit" and "Kubernetes Audit Admin Logs" to an event hub:

CleanShot 2025-10-07 at 18 52 03@2x

And I deployed an Elastic Agent to pull these logs.

Elasticsearch is rejecting all the logs due to this error:

{
    "log.level": "warn",
    "@timestamp": "2025-10-07T16:45:33.946Z",
    "message": "Cannot index event '{\"@timestamp\":\"2025-10-07T16:45:33.929Z\",\"tags\":[\"forwarded\",\"kubernetes-audit_logs\"],\"data_stream\":{\"dataset\":\"kubernetes.audit_logs\",\"namespace\":\"default\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"input\":{\"type\":\"azure-eventhub\"},\"event\":{\"dataset\":\"kubernetes.audit_logs\"},\"elastic_agent\":{\"version\":\"8.18.8\",\"id\":\"15ec9ad7-5eee-48d4-a690-5975b00d008b\",\"snapshot\":false},\"agent\":{\"id\":\"15ec9ad7-5eee-48d4-a690-5975b00d008b\",\"version\":\"8.18.8\",\"ephemeral_id\":\"505ce226-9b72-453b-b908-3b981413de58\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\"},\"message\":\"{\\\"category\\\":\\\"kube-audit-admin\\\",\\\"operationName\\\":\\\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\\\",\\\"properties\\\":{\\\"containerID\\\":\\\"a64cba7fefbf5020788dc29d9247157585bbb64826bf7209623ca7bb49b15fe7\\\",\\\"log\\\":\\\"{\\\\\\\"kind\\\\\\\":\\\\\\\"Event\\\\\\\",\\\\\\\"apiVersion\\\\\\\":\\\\\\\"audit.k8s.io/v1\\\\\\\",\\\\\\\"level\\\\\\\":\\\\\\\"Metadata\\\\\\\",\\\\\\\"auditID\\\\\\\":\\\\\\\"bfbd9d4d-ce5c-4ead-a743-af5b12b287f2\\\\\\\",\\\\\\\"stage\\\\\\\":\\\\\\\"ResponseComplete\\\\\\\",\\\\\\\"requestURI\\\\\\\":\\\\\\\"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kubelet-serving-csr-approver\\\\\\\",\\\\\\\"verb\\\\\\\":\\\\\\\"update\\\\\\\",\\\\\\\"user\\\\\\\":{\\\\\\\"username\\\\\\\":\\\\\\\"aksService\\\\\\\",\\\\\\\"groups\\\\\\\":[\\\\\\\"system:masters\\\\\\\",\\\\\\\"system:authenticated\\\\\\\"]},\\\\\\\"sourceIPs\\\\\\\":[\\\\\\\"172.31.51.172\\\\\\\"],\\\\\\\"userAgent\\\\\\\":\\\\\\\"approver/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election\\\\\\\",\\\\\\\"objectRef\\\\\\\":{\\\\\\\"resource\\\\\\\":\\\\\\\"leases\\\\\\\",\\\\\\\"namespace\\\\\\\":\\\\\\\"kube-system\\\\\\\",\\\\\\\"name\\\\\\\":\\\\\\\"kubelet-serving-csr-approver\\\\\\\",\\\\\\\"uid\\\\\\\":\\\\\\\"14be99f8-ebb7-47b9-a194-43e63d9386af\\\\\\\",\\\\\\\"apiGroup\\\\\\\":\\\\\\\"coordination.k8s.io\\\\\\\",\\\\\\\"apiVersion\\\\\\\":\\\\\\\"v1\\\\\\\",\\\\\\\"resourceVersion\\\\\\\":\\\\\\\"93066366\\\\\\\"},\\\\\\\"responseStatus\\\\\\\":{\\\\\\\"metadata\\\\\\\":{},\\\\\\\"code\\\\\\\":200},\\\\\\\"requestReceivedTimestamp\\\\\\\":\\\\\\\"2025-10-07T15:44:35.237083Z\\\\\\\",\\\\\\\"stageTimestamp\\\\\\\":\\\\\\\"2025-10-07T15:44:35.241488Z\\\\\\\",\\\\\\\"annotations\\\\\\\":{\\\\\\\"authorization.k8s.io/decision\\\\\\\":\\\\\\\"allow\\\\\\\",\\\\\\\"authorization.k8s.io/reason\\\\\\\":\\\\\\\"\\\\\\\"}}\\\",\\\"pod\\\":\\\"kube-apiserver-869d7bb754-kkg69\\\",\\\"stream\\\":\\\"stdout\\\"},\\\"resourceId\\\":\\\"/SUBSCRIPTIONS/[redacted]/RESOURCEGROUPS/MKATSOULIS/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/MKATSOULIS-CLUSTER\\\",\\\"serviceBuild\\\":\\\"na\\\",\\\"time\\\":\\\"2025-10-07T15:44:35.241642842Z\\\"}\",\"azure\":{\"eventhub\":\"logs\",\"consumer_group\":\"$Default\",\"offset\":31619555306984,\"sequence_number\":69292040,\"enqueued_time\":\"2025-10-07T16:45:33.190Z\"}}\n, Meta: {\"input_id\":\"azure-eventhub-audit-logs-632b5fc9-7f73-44d2-83e7-93f889db311e\",\"raw_index\":\"logs-kubernetes.audit_logs-default\",\"stream_id\":\"azure-eventhub-kubernetes.audit_logs-632b5fc9-7f73-44d2-83e7-93f889db311e\"}' (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:24] object mapping for [kubernetes.audit] tried to parse field [audit] as object, but found a concrete value\"}, dropping event!",
    "component": {
        "binary": "filebeat",
        "dataset": "elastic_agent.filebeat",
        "id": "azure-eventhub-default",
        "type": "azure-eventhub"
    },
    "log": {
        "source": "azure-eventhub-default"
    },
    "log.logger": "elasticsearch",
    "log.origin": {
        "file.line": 528,
        "file.name": "elasticsearch/client.go",
        "function": "github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).applyItemStatus"
    },
    "service.name": "filebeat",
    "log.type": "event",
    "ecs.version": "1.6.0",
    "ecs.version": "1.6.0"
}

@chemamartinez
Copy link
Contributor Author

@zmoog probably for some format reason the properties.log is being treated as a string when the field is processed by the pipeline.

I managed to solve it by decoding it as a JSON again. Now logs are being ingested as expected.
Screenshot 2025-10-08 at 16 06 28

Another weird problem is that I could not reproduce it with pipeline tests, no matter how the input log looks like. I finally decided to keep the original logic (rename and json processors for the same field). It may not be the most elegant solution, but at least we can be sure it will work in all cases, so I think it's the safest choice.

On the other hand, I added mappings for all unknown metadata fields.

Screenshot 2025-10-08 at 16 06 45

@zmoog
Copy link
Contributor

zmoog commented Oct 8, 2025

@chemamartinez, I hope you don't mind me adding a test case for the kube-audit log category that includes a properties.log field as a string with embedded JSON.

zmoog
zmoog approved these changes Oct 8, 2025
View reviewed changes
Copy link
Contributor

@zmoog zmoog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chemamartinez chemamartinez enabled auto-merge (squash) October 8, 2025 16:18
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @chemamartinez

@chemamartinez chemamartinez merged commit 4e4f2b9 into elastic:main Oct 8, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package kubernetes - 1.81.1 containing this change is available at https://epr.elastic.co/package/kubernetes/1.81.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmoog zmoog zmoog approved these changes

Assignees

@chemamartinez chemamartinez

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:kubernetes Kubernetes Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chemamartinez @zmoog @elasticmachine @andrewkroh