[Azure Firewall] Certain Logs are not being parsed correctly

[Erikg346]

Describe the issue:

Azure firewall logs seem to skip the ingest pipeline that parses out fields
It's possible grok patterns are missing from logs-azure.firewall_logs-1.8.3 ingest pipeline

Log Categories:

• AZFWDnsQuery
• AZFWNatRule
• AZFWNetworkRule
• AZFWApplicationRule

Example messages from event.original:
Network Rule:

Application Rule:

From initial look, looks like the pipeline uses grok processor on "json.properties.msg" but these example events don't contain nested msg:

[Erikg346]

Looks like Azure implemented new logging formats for Azure Firewall.

https://techcommunity.microsoft.com/t5/azure-network-security-blog/exploring-the-new-resource-specific-structured-logging-in-azure/ba-p/3620530

[zmoog]

@Erikg346, which log category did you select in the Azure Firewall diagnostic setting?

It would be great to have a screenshot like the following one (or list the category names, as you prefer):

[zmoog]

We can infer the option they checked from the category name (i.e., AZFWNatRule —> "Azure Firewall Nat Rule"), but I'd love to know what you are most interested into

[zmoog]

My current understanding is the Azure Firewall integration does not support the new formats introduced by the Resource Specific Structured Logging yet. Still, I'm double-checking with the security integrations team to know more.

[Erikg346]

@zmoog yes you are correct the current Elastic Integration doesn't support the new formats. The weird part is we have the setting enabled for 'Azure Diagnostics', not 'Resource Specific'.

[muthu-mps]

The firewall logs integration doesn't support the structured logs introduced in Azure. We will enhance the ingest pipeline to provide support for structured format in such a way that both the log formats will be supported.