Skip to content

[azure logs] Fix sign-in logs category check #17027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zmoog wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[azure logs] Fix sign-in logs category check #17027

zmoog wants to merge 3 commits into from
+7 −2

Conversation

@zmoog
Copy link
Contributor

@zmoog zmoog commented Jan 21, 2026
edited
Loading

Proposed commit message

Add an explicit check on ctx.routing?.category to make sure it's not null before calling the endsWith("SignInLogs") method.

We can't assume category is always set.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Related issues

@zmoog
Fix sign-in logs category check
4e5574b 
We can't assume category will not be null.
@zmoog zmoog self-assigned this Jan 21, 2026
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 21, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@zmoog
Check null before calling a method
7485aea 
The `?` seems to work when checking field access, but not when
checking field access 🤔
@zmoog zmoog added Integration:azure Azure Logs bugfix Pull request that fixes a bug issue Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] labels Jan 21, 2026
@zmoog zmoog marked this pull request as ready for review January 21, 2026 17:50
@zmoog zmoog requested a review from a team as a code owner January 21, 2026 17:50
@zmoog zmoog requested review from a team as code owners January 21, 2026 17:53
@elasticmachine
Copy link

elasticmachine commented Jan 21, 2026

💚 Build Succeeded

History

cc @zmoog

@zmoog zmoog added Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jan 21, 2026
@elasticmachine
Copy link

elasticmachine commented Jan 21, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 approved these changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit only

packages/azure/data_stream/events/elasticsearch/ingest_pipeline/default.yml
value: azure.signinlogs
# Use same logic as the `signinlogs` stream that drops any document that doesn't end with `SignInLogs`.
if: 'ctx.routing?.category.endsWith("SignInLogs")'
if: 'ctx.routing?.category != null && ctx.routing?.category.endsWith("SignInLogs")'
Copy link
Contributor

@efd6 efd6 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: 'ctx.routing?.category != null && ctx.routing?.category.endsWith("SignInLogs")'
if: 'ctx.routing?.category != null && ctx.routing.category.endsWith("SignInLogs")'

Copy link
Contributor Author

@zmoog zmoog Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this pipeline guarantee the routing field? It looks like it might be optional here.

muthu-mps
muthu-mps reviewed Jan 22, 2026
View reviewed changes
packages/azure/data_stream/events/elasticsearch/ingest_pipeline/default.yml
value: azure.signinlogs
# Use same logic as the `signinlogs` stream that drops any document that doesn't end with `SignInLogs`.
if: 'ctx.routing?.category.endsWith("SignInLogs")'
if: 'ctx.routing?.category != null && ctx.routing?.category.endsWith("SignInLogs")'
Copy link
Contributor

@muthu-mps muthu-mps Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are not processing the logs with no category then should we drop the event which doesn't have category?

Copy link
Contributor Author

@zmoog zmoog Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Um, I think we keep the log events.

Two reasons:

  • Azure has been inconsistent in naming the field that contains the log category. So far we know they mostly usage category, but also found Category and CategoryValue in the wild. So I guess an suboptimal indexing is better than losing the log event.
  • custom routing: we recently added routing.category as candidate field for custom routing, but users may want to customize the routing based on other criteria and fields. If we drop the log event in the main pipeline, it will never reach the custom pipeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kavindu-Dodan Kavindu-Dodan Kavindu-Dodan approved these changes

@efd6 efd6 efd6 approved these changes

@muthu-mps muthu-mps muthu-mps approved these changes

Assignees

@zmoog zmoog

Labels

bugfix Pull request that fixes a bug issue Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Azure Logs]: Null def reference on set processor

6 participants

@zmoog @elasticmachine @Kavindu-Dodan @efd6 @muthu-mps