[Azure] Add Azure Application Gateway datastream #3892
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
Hey @legoguy1000, thank you for your contribution! \o/ I am looking for the most appropriate team/person to review your PR. |
|
We may need to add instructions about which Azure resources users must set up to use the integration. @legoguy1000, which diagnostic setting did you set up to send logs to the event hub? Looking at the sample_event.json file content, my educated guess is that it is the diagnostic settings from the Application Gateway:
Am I right? |
|
@zmoog I don't currently have an azure WAF to test this on, I just went off the documentation here, https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs. |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Got it, thanks! Interesting reading. I see the log categories used as data sources are the following:
@legoguy1000 I noticed pipeline test documents for "Application Gateway Access Log" and "Application Gateway Firewall Log": are we supporting both, right? |
|
Questions for the security-external-integrations team:
|
Sorry I didn't see this earlier. I don't see any reason you wouldn't want both. One is just access logs, the other is the actual WAF security rules alert logs. |
packages/azure/data_stream/waf_logs/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/azure/data_stream/waf_logs/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
legoguy1000
force-pushed
the
1306-azure-waf
branch
from
c789f17
to
3a96c01
Compare
|
/test |
🌐 Coverage report
|
The performance log is more of a metric but I guess we could add it. Also unless I'm reading something wrong, the waf is the application gateway or at least that's what it's log names are. |
|
I think this is good for now. |
|
I see this integration is using the Application Gateway resource logs to collect WAF data; in particular, we are leveraging the following log categories:
I just noticed that Front Door also produces WAF data using its resource logs named @efd6, do you think we should also support WAF data from Front Door's logs in this integration? @efd6, another more general question: what if someone asks us to support Application Gateway logs or Front Door logs without focusing on WAF? For example, they want the access logs with no particular focus on WAF. |
|
Hey @legoguy1000, in a previous comment, you mentioned that you don't azure WAF to test this on. @efd6, did you get a chance to test this integration? Otherwise, I can give it a try. |
|
@jamiehynds, if I am not wrong, this integration does not have a dashboard. Can we go with it and add it later, or should we add it in this PR? I believe the questions I asked Dan in a previous comment were also for you 😇 |
|
One last thing. @legoguy1000, thank you for your contribution! I'll keep an eye on this PR, and I won't let you wait again for more than necessary. |
|
@zmoog you're all good, we're all busy with a million things. I could always rename the data stream to application gateway and we could create a separate one for front door? |
|
@zmoog No I have not tested this. Please take it for a spin. |
Hey @zmoog - with regards to Frontdoor logs, we seem to have a community contribution for Frontdoor support (including a dashboard) - #2497. I'm not overly familiar on the differences between WAF and Frontdoor. Should these be separate integrations or should Frontdoor be a datastream under Azure WAF? With regards to a dashboard, it's always our preference to include dashboards with new integrations as when we don't ship dashboards, it's easy to put it on the long finger and we end up with dashboards without integrations. Do you think we could add a dashboad as part of this PR? |
legoguy1000
force-pushed
the
1306-azure-waf
branch
from
3a96c01
to
a9b37d3
Compare
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
auditlogs |
1515.15 | 1088.14 | -427.01 (-28.18%) | 💔 |
To see the full report comment with /test benchmark fullreport
|
@P1llus updated. |
legoguy1000
changed the title
There was a problem hiding this comment.
Added a few small nitpicks, could you also remove any changes done to the other datastreams? As they should be updated in another PR if necessary.
Could you also rename it to application_gateway rather than application_gateway_logs ?
After the changes and a review from obs-cloud-monitoring we can merge.
packages/azure/data_stream/application_gateway_logs/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
...re/data_stream/activitylogs/_dev/test/pipeline/test-activitylogs-edgecases.log-expected.json
Outdated
Show resolved
Hide resolved
packages/azure/data_stream/activitylogs/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/azure/data_stream/application_gateway_logs/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/azure/data_stream/application_gateway_logs/agent/stream/azure-eventhub.yml.hbs
Outdated
Show resolved
Hide resolved
legoguy1000
force-pushed
the
1306-azure-waf
branch
from
37149d7
to
a5b1eb0
Compare
legoguy1000
force-pushed
the
1306-azure-waf
branch
from
9d9081a
to
8ed7b6f
Compare
This completes the transition from Azure WAF to Azure Application Gateway.
Like the AWS integration, we keep fields and event reference material in the individual integration docs. The README.md file was getting hard to read due to the extra long reference section.
We are working to define a more defined process to graduate from beta to a GA for each integration or data stream that we release.
|
Hey @legoguy1000, thank you again for the initial work and the will to update it! I made all the pending changes from my last comments and LGTM. I'll take care of the CI. When all is green, we can merge. |
Renamed field with the expected name.
What does this PR do?
Add Azure Application Gateway datastream
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots