Add additional checks for event.original already existing into Azure firewall logs integration ingest pipeline

[tommyers-elastic]

What does this PR do?

Add additional checks for event.original already existing into Azure firewall logs integration ingest pipeline

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[zmoog]

LGTM.

For the records, we did something similar on other Azure Logs integrations with #3639.

[philippkahr]

Can we make sure that this processor is the same in all integrations?

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-02-20T12:15:44.466+0000

• Duration: 14 min 43 sec

Test stats 🧪

Test	Results
Failed	0
Passed	124
Skipped	0
Total	124

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (10/10)	💚
Files	86.364% (19/22)	👎 -13.636
Classes	86.364% (19/22)	👎 -13.636
Methods	83.333% (155/186)	👍 22.574
Lines	85.079% (2794/3284)	👎 -14.454
Conditionals	100.0% (0/0)	💚

[tommyers-elastic]

Can we make sure that this processor is the same in all integrations?

i think it's kinda crazy each integration repeats these processors anyway. is there any reason not to move this into a higher level final pipeline?

@ruflin i think we talked about this at one point?

[philippkahr]

i think it's kinda crazy each integration repeats these processors anyway. is there any reason not to move this into a higher level final pipeline?

I see a few problems:

• In the Azure integration I want to preserve event.original
• In the AWS Integration I don't want to preserve event.original

Some sort of tag must be send to the final pipeline, so it actually knows when to set it and when not.

Problem: Custom ingest pipelines. what if those heavily modify the message field, or even drop it? Then the final pipeline won't be able to create the event.original, since message is missing, or something else happened.

[zmoog]

@philippkahr, the event.original field is preserved or removed from the document according to the presence of the preserve_original_event tag. This tag is a data stream-level option, so each individual data stream can pick its value.

The change in this PR handles an edge case that can happen the pipeline receives an event with both message and event.original fields. It is performed early in the pipeline and aims to have the event.original field only in the document, which will be kept or dropped according to the preserve_original_event tag.

(IIRC) This change was first introduced when Logstash changed its default behavior a few months ago and added event.original.

[elasticmachine]

Package azure - 1.5.9 containing this change is available at https://epr.elastic.co/search?package=azure

[mbudge]

Also seeing error.message: field [event.original] already exists rename in the azure application gateway logs with preserve original log disabled.

[zmoog]

Also seeing error.message: field [event.original] already exists rename in the azure application gateway logs with preserve original log disabled.

Yep, this can happen at the beginning of the ingest pipeline execution if the document has both message and event.original.

@mbudge, is it still happening with integration version 1.5.9? Can you provide a sample log causing the error if it does happen?

[mbudge]

We've upgraded to 8.6.2 but the latest azure firewall/application gateway integration is 1.5.8.

As soon as 1.5.9 is available for upgrade we'll test it.

[mbudge]

Just upgraded to 1.5.9 and the original event issue is fixed in data_stream.dataset: azure.firewall_logs

The firewall integration has a grok parsing error, I'll share with support.

We're still getting the error "field [event.original] already exists rename" this dataset in v1.5.9

data_stream.dataset: azure.application_gateway

[zmoog]

The firewall integration has a grok parsing error, I'll share with support.

Feel free to also open a public GitHub issue with the failing log event. Please redact any PII or account-identifiable information before sharing it.

We're still getting the error "field [event.original] already exists rename" in data_stream.dataset: azure.application_gateway

You're right!

Fixing this with #5361

[zmoog]

The firewall integration has a grok parsing error, I'll share with support.

We added unsupported message patterns with #5382. Thank you for sharing a sample log.

You can upgrade to integration version 1.5.11 when the automation bot confirms.