{ "name": "azure", "title": "Azure Logs", "version": "1.29.1", "release": "ga", "description": "This Elastic integration collects logs from Azure", "type": "integration", "download": "/epr/azure/azure-1.29.1.zip", "path": "/package/azure/1.29.1", "icons": [ { "src": "/img/azure_logs_logo.png", "path": "/package/azure/1.29.1/img/azure_logs_logo.png", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.15.1 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/obs-ds-hosted-services" }, "categories": [ "cloud", "azure", "observability", "security" ], "signature_path": "/epr/azure/azure-1.29.1.zip.sig", "format_version": "3.3.0", "readme": "/package/azure/1.29.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/azure_user_activity_dashboard.png", "path": "/package/azure/1.29.1/img/azure_user_activity_dashboard.png", "title": "Azure User Activity Dashboard", "size": "3024x3162", "type": "image/png" } ], "assets": [ "/package/azure/1.29.1/LICENSE.txt", "/package/azure/1.29.1/changelog.yml", "/package/azure/1.29.1/manifest.yml", "/package/azure/1.29.1/validation.yml", "/package/azure/1.29.1/docs/README.md", "/package/azure/1.29.1/docs/activitylogs.md", "/package/azure/1.29.1/docs/adlogs.md", "/package/azure/1.29.1/docs/application_gateway.md", "/package/azure/1.29.1/docs/eventhub.md", "/package/azure/1.29.1/docs/events.md", "/package/azure/1.29.1/docs/firewall_logs.md", "/package/azure/1.29.1/docs/graphactivitylogs.md", "/package/azure/1.29.1/docs/platformlogs.md", "/package/azure/1.29.1/docs/springcloudlogs.md", "/package/azure/1.29.1/img/application_gateway_logo.svg", "/package/azure/1.29.1/img/azure_logs_logo.png", "/package/azure/1.29.1/img/azure_user_activity_dashboard.png", "/package/azure/1.29.1/img/eventhub.png", "/package/azure/1.29.1/img/filebeat-azure-firewall-dns-proxy.png", "/package/azure/1.29.1/img/filebeat-azure-firewall-overview.png", "/package/azure/1.29.1/img/filebeat-azure-overview.png", "/package/azure/1.29.1/img/firewall_logo.svg", "/package/azure/1.29.1/img/graph_activity.png", "/package/azure/1.29.1/img/graph_activity_logs.png", "/package/azure/1.29.1/img/logo_azure.svg", "/package/azure/1.29.1/img/microsoft-entra-id-logo.svg", "/package/azure/1.29.1/img/platformlogs_logo.png", "/package/azure/1.29.1/img/spring_logs.svg", "/package/azure/1.29.1/data_stream/activitylogs/manifest.yml", "/package/azure/1.29.1/data_stream/activitylogs/sample_event.json", "/package/azure/1.29.1/data_stream/application_gateway/manifest.yml", "/package/azure/1.29.1/data_stream/application_gateway/sample_event.json", "/package/azure/1.29.1/data_stream/auditlogs/manifest.yml", "/package/azure/1.29.1/data_stream/auditlogs/sample_event.json", "/package/azure/1.29.1/data_stream/eventhub/manifest.yml", "/package/azure/1.29.1/data_stream/eventhub/sample_event.json", "/package/azure/1.29.1/data_stream/events/manifest.yml", "/package/azure/1.29.1/data_stream/events/routing_rules.yml", "/package/azure/1.29.1/data_stream/firewall_logs/manifest.yml", "/package/azure/1.29.1/data_stream/firewall_logs/sample_event.json", "/package/azure/1.29.1/data_stream/graphactivitylogs/manifest.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/sample_event.json", "/package/azure/1.29.1/data_stream/identity_protection/manifest.yml", "/package/azure/1.29.1/data_stream/identity_protection/sample_event.json", "/package/azure/1.29.1/data_stream/platformlogs/manifest.yml", "/package/azure/1.29.1/data_stream/platformlogs/sample_event.json", "/package/azure/1.29.1/data_stream/provisioning/manifest.yml", "/package/azure/1.29.1/data_stream/provisioning/sample_event.json", "/package/azure/1.29.1/data_stream/signinlogs/manifest.yml", "/package/azure/1.29.1/data_stream/signinlogs/sample_event.json", "/package/azure/1.29.1/data_stream/springcloudlogs/manifest.yml", "/package/azure/1.29.1/data_stream/springcloudlogs/sample_event.json", "/package/azure/1.29.1/kibana/dashboard/azure-0f559cc0-f0d5-11e9-90ec-112a988266d5.json", "/package/azure/1.29.1/kibana/dashboard/azure-1adf52d0-f50f-11eb-a831-732d3e9bbd43.json", "/package/azure/1.29.1/kibana/dashboard/azure-1e5c9b50-f24a-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/dashboard/azure-280493a0-f1a1-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/dashboard/azure-2b2e94c8-aff5-401d-b9a5-aae2d051a92c.json", "/package/azure/1.29.1/kibana/dashboard/azure-32aedb00-f524-11eb-b9f3-73fa29f35762.json", "/package/azure/1.29.1/kibana/dashboard/azure-3cdf69c0-32d9-11ed-a2e6-916b60bbea71.json", "/package/azure/1.29.1/kibana/dashboard/azure-41e84340-ec20-11e9-90ec-112a988266d5.json", "/package/azure/1.29.1/kibana/dashboard/azure-5ad41d90-f50e-11eb-a831-732d3e9bbd43.json", "/package/azure/1.29.1/kibana/dashboard/azure-5ee36c30-32dc-11ed-a2e6-916b60bbea71.json", "/package/azure/1.29.1/kibana/dashboard/azure-87095750-f05a-11e9-90ec-112a988266d5.json", "/package/azure/1.29.1/kibana/dashboard/azure-8731b980-f1aa-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/dashboard/azure-91224490-f1a6-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/dashboard/azure-cad82b40-f251-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/search/azure-252228a0-f1ab-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/search/azure-3d1466b0-f252-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/search/azure-671ff040-f24e-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/search/azure-70cbce40-f1a7-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/kibana/search/azure-813b8ba0-32eb-11ed-8fa6-3121b5e93ca0.json", "/package/azure/1.29.1/kibana/search/azure-a3664560-32ed-11ed-8fa6-3121b5e93ca0.json", "/package/azure/1.29.1/kibana/search/azure-f7cc8d20-32e9-11ed-8fa6-3121b5e93ca0.json", "/package/azure/1.29.1/kibana/search/azure-fb61c4c0-f1a1-11ec-a5a8-bf965bcd5646.json", "/package/azure/1.29.1/data_stream/activitylogs/fields/agent.yml", "/package/azure/1.29.1/data_stream/activitylogs/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/activitylogs/fields/fields.yml", "/package/azure/1.29.1/data_stream/activitylogs/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/application_gateway/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/application_gateway/fields/fields.yml", "/package/azure/1.29.1/data_stream/application_gateway/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/auditlogs/fields/agent.yml", "/package/azure/1.29.1/data_stream/auditlogs/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/auditlogs/fields/fields.yml", "/package/azure/1.29.1/data_stream/auditlogs/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/eventhub/fields/agent.yml", "/package/azure/1.29.1/data_stream/eventhub/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/eventhub/fields/fields.yml", "/package/azure/1.29.1/data_stream/eventhub/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/events/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/events/fields/fields.yml", "/package/azure/1.29.1/data_stream/events/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/firewall_logs/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/firewall_logs/fields/ecs.yml", "/package/azure/1.29.1/data_stream/firewall_logs/fields/fields.yml", "/package/azure/1.29.1/data_stream/firewall_logs/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/fields/agent.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/fields/ecs-extended.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/fields/ecs.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/fields/fields.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/identity_protection/fields/agent.yml", "/package/azure/1.29.1/data_stream/identity_protection/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/identity_protection/fields/fields.yml", "/package/azure/1.29.1/data_stream/identity_protection/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/platformlogs/fields/agent.yml", "/package/azure/1.29.1/data_stream/platformlogs/fields/azure-isv-fields.yml", "/package/azure/1.29.1/data_stream/platformlogs/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/platformlogs/fields/fields.yml", "/package/azure/1.29.1/data_stream/platformlogs/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/provisioning/fields/agent.yml", "/package/azure/1.29.1/data_stream/provisioning/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/provisioning/fields/fields.yml", "/package/azure/1.29.1/data_stream/provisioning/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/signinlogs/fields/agent.yml", "/package/azure/1.29.1/data_stream/signinlogs/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/signinlogs/fields/fields.yml", "/package/azure/1.29.1/data_stream/signinlogs/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/springcloudlogs/fields/agent.yml", "/package/azure/1.29.1/data_stream/springcloudlogs/fields/base-fields.yml", "/package/azure/1.29.1/data_stream/springcloudlogs/fields/fields.yml", "/package/azure/1.29.1/data_stream/springcloudlogs/fields/package-fields.yml", "/package/azure/1.29.1/data_stream/activitylogs/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/activitylogs/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/activitylogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/activitylogs/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/application_gateway/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/application_gateway/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/application_gateway/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/auditlogs/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/auditlogs/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/auditlogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/eventhub/agent/stream/stream.yml.hbs", "/package/azure/1.29.1/data_stream/eventhub/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/eventhub/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/eventhub/elasticsearch/ingest_pipeline/parsed-message.yml", "/package/azure/1.29.1/data_stream/events/agent/stream/stream.yml.hbs", "/package/azure/1.29.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/firewall_logs/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/firewall_logs/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/firewall_logs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/firewall_logs/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/graphactivitylogs/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/identity_protection/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/identity_protection/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/identity_protection/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/identity_protection/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/platformlogs/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/platformlogs/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/platformlogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/platformlogs/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/platformlogs/elasticsearch/ingest_pipeline/springcloudlogs-inner-pipeline.yml", "/package/azure/1.29.1/data_stream/provisioning/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/provisioning/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/provisioning/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/signinlogs/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/signinlogs/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/signinlogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/signinlogs/elasticsearch/ingest_pipeline/default.yml", "/package/azure/1.29.1/data_stream/springcloudlogs/agent/stream/azure-eventhub.yml.hbs", "/package/azure/1.29.1/data_stream/springcloudlogs/agent/stream/log.yml.hbs", "/package/azure/1.29.1/data_stream/springcloudlogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml", "/package/azure/1.29.1/data_stream/springcloudlogs/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "events", "title": "Azure Logs (v2 preview)", "description": "Azure Logs (v2 preview) integration", "data_streams": [ "events" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect all Azure Logs (v2 preview)", "description": "Collecting log events from Azure Event Hub (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/eventhub.png", "path": "/package/azure/1.29.1/img/eventhub.png", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "categories": [ "stream_processing" ], "screenshots": [ { "src": "/img/filebeat-azure-overview.png", "path": "/package/azure/1.29.1/img/filebeat-azure-overview.png", "title": "filebeat azure overview", "size": "5002x2666", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/events.md" }, { "name": "eventhub", "title": "Azure Event Hub Input", "description": "Azure Event Hub input integration", "data_streams": [ "eventhub" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect raw events (v1)", "description": "Collecting raw events from Azure Event Hub inputs (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/eventhub.png", "path": "/package/azure/1.29.1/img/eventhub.png", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "categories": [ "stream_processing" ], "screenshots": [ { "src": "/img/filebeat-azure-overview.png", "path": "/package/azure/1.29.1/img/filebeat-azure-overview.png", "title": "filebeat azure overview", "size": "5002x2666", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/eventhub.md" }, { "name": "adlogs", "title": "Microsoft Entra ID", "description": "Collect logs from Microsoft Entra ID (formerly Azure Active Directory) with Elastic Agent.", "data_streams": [ "auditlogs", "signinlogs", "identity_protection", "provisioning" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect Microsoft Entra ID logs (v1)", "description": "Collecting Microsoft Entra ID logs as audit logs and signin logs from Azure instances (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/microsoft-entra-id-logo.svg", "path": "/package/azure/1.29.1/img/microsoft-entra-id-logo.svg", "title": "Microsoft Entra ID logo", "size": "32x32", "type": "image/svg+xml" } ], "categories": [ "security" ], "screenshots": [ { "src": "/img/filebeat-azure-overview.png", "path": "/package/azure/1.29.1/img/filebeat-azure-overview.png", "title": "filebeat azure overview", "size": "5002x2666", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/adlogs.md" }, { "name": "platformlogs", "title": "Azure platform logs", "description": "Azure platform logs integration", "data_streams": [ "platformlogs" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect Azure platform logs (v1)", "description": "Collecting platform logs from Azure instances (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/platformlogs_logo.png", "path": "/package/azure/1.29.1/img/platformlogs_logo.png", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "screenshots": [ { "src": "/img/filebeat-azure-overview.png", "path": "/package/azure/1.29.1/img/filebeat-azure-overview.png", "title": "filebeat azure overview", "size": "5002x2666", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/platformlogs.md" }, { "name": "activitylogs", "title": "Azure Activity Logs", "description": "Azure Activity Logs integration", "data_streams": [ "activitylogs" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect Azure Activity Logs (v1)", "description": "Collecting activity logs from Azure instances (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/platformlogs_logo.png", "path": "/package/azure/1.29.1/img/platformlogs_logo.png", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "screenshots": [ { "src": "/img/filebeat-azure-overview.png", "path": "/package/azure/1.29.1/img/filebeat-azure-overview.png", "title": "filebeat azure overview", "size": "5002x2666", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/activitylogs.md" }, { "name": "graphactivitylogs", "title": "Microsoft Graph Activity Logs", "description": "Microsoft Graph Activity Logs integration", "data_streams": [ "graphactivitylogs" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect Microsoft Graph Activity Logs (v1)", "description": "Collecting graph activity logs from Azure instances (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/graph_activity.png", "path": "/package/azure/1.29.1/img/graph_activity.png", "title": "logo graphactivity", "size": "32x32", "type": "image/svg+xml" } ], "categories": [ "security" ], "screenshots": [ { "src": "/img/graph_activity_logs.png", "path": "/package/azure/1.29.1/img/graph_activity_logs.png", "title": "microsoft graph activity overview", "size": "5002x2666", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/graphactivitylogs.md" }, { "name": "springcloudlogs", "title": "Azure Spring Apps logs", "description": "Azure Spring Apps logs integration", "data_streams": [ "springcloudlogs" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect Azure Spring Apps logs (v1)", "description": "Collecting Spring Apps logs from Azure instances (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/spring_logs.svg", "path": "/package/azure/1.29.1/img/spring_logs.svg", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "screenshots": [ { "src": "/img/filebeat-azure-overview.png", "path": "/package/azure/1.29.1/img/filebeat-azure-overview.png", "title": "filebeat azure overview", "size": "5002x2666", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/springcloudlogs.md" }, { "name": "firewall_logs", "title": "Azure Firewall logs", "description": "Azure firewall logs integration", "data_streams": [ "firewall_logs" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect Azure firewall logs (v1)", "description": "Collecting firewall logs from Azure (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/firewall_logo.svg", "path": "/package/azure/1.29.1/img/firewall_logo.svg", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "categories": [ "security", "firewall_security" ], "screenshots": [ { "src": "/img/filebeat-azure-firewall-overview.png", "path": "/package/azure/1.29.1/img/filebeat-azure-firewall-overview.png", "title": "filebeat azure firewall overview", "size": "5088x3088", "type": "image/png" }, { "src": "/img/filebeat-azure-firewall-dns-proxy.png", "path": "/package/azure/1.29.1/img/filebeat-azure-firewall-dns-proxy.png", "title": "filebeat azure firewall dns proxy", "size": "5088x3032", "type": "image/png" } ], "readme": "/package/azure/1.29.1/docs/firewall_logs.md" }, { "name": "application_gateway", "title": "Azure Application Gateway", "description": "Collect Azure Application Gateway logs with Elastic Agent.", "data_streams": [ "application_gateway" ], "inputs": [ { "type": "azure-eventhub", "title": "Collect Azure Application Gateway logs (v1)", "description": "Collecting Application Gateway logs from Azure (input: azure-eventhub)", "input_group": "logs" } ], "multiple": true, "icons": [ { "src": "/img/application_gateway_logo.svg", "path": "/package/azure/1.29.1/img/application_gateway_logo.svg", "title": "logo azure", "size": "32x32", "type": "image/svg+xml" } ], "categories": [ "security" ], "readme": "/package/azure/1.29.1/docs/application_gateway.md" } ], "data_streams": [ { "type": "logs", "dataset": "azure.activitylogs", "title": "Azure Activity Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-activitylogs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Activity Logs", "description": "Collect Azure Activity Logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "activitylogs" }, { "type": "logs", "dataset": "azure.application_gateway", "title": "Azure Application Gateway logs", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-application-gateway-logs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Application Gateway logs", "description": "Collect Azure Application Gateway logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "application_gateway" }, { "type": "logs", "dataset": "azure.auditlogs", "title": "Azure Audit Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-auditlogs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure audit logs", "description": "Collect Azure audit logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "auditlogs" }, { "type": "logs", "dataset": "azure.eventhub", "title": "Azure Event Hub Input", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "parse_message", "type": "bool", "title": "Parse azure message", "description": "Apply minimal json parsing of the message, extracting resource details for fields as `resourceId`, `time` if found.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "data_stream.dataset", "type": "text", "title": "Dataset name", "description": "Set the name for your dataset. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).\n", "multi": false, "required": true, "show_user": false, "default": "azure.eventhub" }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-eventhub", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "stream.yml.hbs", "title": "Azure Event Hub Input", "description": "Collect Azure events using azure-eventhub input", "enabled": true, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "eventhub" }, { "type": "logs", "dataset": "azure.events", "title": "Azure Logs (v2 preview)", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for this integration. DO NOT REUSE the same container name for more than one integration. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-eventhub", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processor_version", "type": "text", "title": "Processor version", "description": "The processor version that the integration should use. Possible values are `v1` and `v2` (preview). \nThe v2 event hub processor is in preview, so using the v1 processor is recommended for typical use cases.\nDefault is `v1`.", "multi": false, "required": false, "show_user": false, "default": "v1" }, { "name": "processor_update_interval", "type": "text", "title": "Processor update interval", "description": "(Processor v2 only) How often the processor should attempt to claim partitions.\nDefault is `10` seconds.", "multi": false, "required": false, "show_user": false, "default": "10s" }, { "name": "processor_start_position", "type": "text", "title": "Processor start position", "description": "(Processor v2 only) Controls from what position in the event hub the processor should start processing messages for all partitions.\nPossible values are `earliest` and `latest`.\n`earliest` starts processing messages from the last checkpoint, or the beginning of the event hub if no checkpoint is available.\n`latest` starts processing messages from the the latest event in the event hub and continues to process new events as they arrive.\nDefault is `earliest`.", "multi": false, "required": false, "show_user": false, "default": "earliest" }, { "name": "partition_receive_timeout", "type": "text", "title": "Partition receive timeout", "description": "(Processor v2 only) Maximum time to wait before processing the messages received from the event hub.\nThe partition consumer waits up to a \"receive count\" or a \"receive timeout\", whichever comes first.\nDefault is `5` seconds.", "multi": false, "required": false, "show_user": false, "default": "5s" }, { "name": "partition_receive_count", "type": "text", "title": "Partition receive count", "description": "(Processor v2 only) Maximum number of messages from the event hub to wait for before processing them.\nThe partition consumer waits up to a \"receive count\" or a \"receive timeout\", whichever comes first.\nDefault is `100` messages.", "multi": false, "required": false, "show_user": false, "default": 100 }, { "name": "migrate_checkpoint", "type": "bool", "title": "Migrate checkpoint information", "description": "(Processor v2 only) Flag to control if the processor should perform the checkpoint information migration from processor v1 to v2 at startup.\nThe checkpoint migration converts the checkpoint information from the v1 format to the v2 format.\nDefault is `false`, which means the processor will not perform the checkpoint migration.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "endpoint_suffix", "type": "text", "title": "Storage account endpoint suffix", "description": "(Processor v2 only) Override the default storage account endpoint suffix.", "multi": false, "required": true, "show_user": false, "default": "core.windows.net" } ], "template_path": "stream.yml.hbs", "title": "Collect Azure logs from Event Hub", "description": "Collect all the supported (see list below) Azure logs from Event Hub to a target data stream.\n\n✨ **New in version 1.20.0+:** by enabling this integration, you can collect all the logs from the following Azure services and route them to the appropriate data stream:\n\n- Microsoft Entra ID logs:\n - Audit\n - Identity Protection\n - Provisioning\n - Sign-in\n- Platform logs\n- Activity logs\n- Microsoft Graph Activity Logs\n- Spring Apps logs\n- Firewall logs\n- Application Gateway logs\n\n**You MUST turn off the v1 integrations** when you enable this v2 integration. If you run both integrations simultaneously, you will see duplicate logs in your data stream.\n\nIf you need to collect raw events from Azure Event Hub, we recommend using the [Custom Azure Logs integration](https://www.elastic.co/docs/current/integrations/azure_logs) which provides more flexibility.\n\nTo learn more about the efficiency and routing enhancements introduced in version 1.20.0, please read the [Azure Logs (v2 preview)](https://www.elastic.co/docs/current/integrations/azure/events) documentation.\n", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "events" }, { "type": "logs", "dataset": "azure.firewall_logs", "title": "Collect Network rule logs from Azure Firewall", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-firewall", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Firewall Logs", "description": "Collect Azure Firewall Network rule logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "firewall_logs" }, { "type": "logs", "dataset": "azure.graphactivitylogs", "title": "Microsoft Graph Activity Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-graphactivitylogs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Microsoft Graph Activity Logs", "description": "Collect Microsoft Graph Activity Logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "graphactivitylogs" }, { "type": "logs", "dataset": "azure.identity_protection", "title": "Microsoft Entra ID Identity Protection Logs", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-identity-protection-logs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Identity Protection Logs", "description": "Collect Microsoft Entra ID Identity Protection Logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "identity_protection" }, { "type": "logs", "dataset": "azure.platformlogs", "title": "Azure Platform Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-platformlogs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure platform logs", "description": "Collect Azure platform logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "platformlogs" }, { "type": "logs", "dataset": "azure.provisioning", "title": "Microsoft Entra ID Provisioning Logs", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-provisioning-logs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Provisioning Logs", "description": "Collect Microsoft Entra ID Provisioning Logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "provisioning" }, { "type": "logs", "dataset": "azure.signinlogs", "title": "Azure Signin Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-signinlogs", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure sign-in logs", "description": "Collect Azure sign-in logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "signinlogs" }, { "type": "logs", "dataset": "azure.springcloudlogs", "title": "Azure Spring Apps Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "azure-springcloudlogs", "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "sanitize_newlines", "type": "bool", "title": "Sanitizes New Lines", "description": "Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "sanitize_singlequotes", "type": "bool", "title": "Sanitizes Single Quotes", "description": "Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing.", "multi": false, "required": true, "show_user": false, "default": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Azure Spring Apps logs", "description": "Collect Azure Spring Apps logs using azure-eventhub input", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "azure", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "springcloudlogs" } ], "vars": [ { "name": "eventhub", "type": "text", "title": "Event Hub Name", "description": "The event hub name that contains the logs to ingest. Do not use the event hub namespace here. Elastic recommends using one event hub for each integration. Visit [Create an event hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use event hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "The storage account key, this key will be used to authorize access to data in your storage account.", "multi": false, "required": true, "show_user": true }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "multi": false, "required": false, "show_user": false } ] }