[Filebeat] Add support to the Azure module for log in json

[nithril]

Describe the enhancement:

With the Azure Kubernetes Service diagnostic settings, I can push the k8s audit log into Elastic. The k8s audit log is json, by consequence the azure filebeat processor will output in the field message the k8s audit as a json string.

{
        "rename" : {
          "field" : "azure.platformlogs.properties.log",
          "target_field" : "message",
          "ignore_missing" : true
        }
      }

The improvement is about letting the user configure the Azure module to choose to parse azure.platformlogs.properties.log as json into a specific field.

Describe a specific use case for the enhancement or feature:

Ingesting AKS audit log

[legoguy1000]

This is the only sample log we have for the kube platform logs

{"Cloud":"AzureCloud","Environment":"prod","category":"kube-audit","ccpNamespace":"5e4bf4baee195b00017cdbfa","operationName":"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read","properties":{"log":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Metadata\",\"auditID\":\"22af12c3-a1fe-4f2c-99a9-3cdde671dbfe\"}","pod":"kube-apiserver-666bd4b459-hjgdc","stream":"stdout"},"resourceId":"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE","time":"2020-11-09T10:57:31.0000000Z"}

Can you provide additional samples? Also will the azure.platformlogs.properties.log always have a JSON payload or is it only some of the azure.platoform logs?? If its not all, can you provide a field from the sample above that we can conditionalize?

[nithril]

I believe it should always be json according to https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#log-backend

I don't currently have samples coming from the diagnostics logs, only after the ingestion. Eg.

azure.platformlogs.properties.log:

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3e59e7fa-da50-468f-8163-93840a2bc033","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager?timeout=10s","verb":"update","user":{"username":"aksService","groups":["system:masters","system:authenticated"]},"sourceIPs":["XXX"],"userAgent":"kube-controller-manager/v1.17.16 (linux/amd64) kubernetes/d88fadb/leader-election","objectRef":{"resource":"leases","namespace":"kube-system","name":"kube-controller-manager","uid":"1cc71c3f-9485-405c-9dcb-9f6e4dd095dc","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"86096075"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-04-18T15:59:25.414442Z","stageTimestamp":"2021-04-18T15:59:25.419418Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[narph]

closed by #26148, please reopen if this will not fix your issue