From 8edcc0b5edaa511e5f9d942108a33626d7f53581 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 12 Dec 2022 22:12:34 +0100 Subject: [PATCH] [7.17](backport #33654) Azure Platform Logs: rename identity as identity_name when the value is a string (#33957) * Azure Platform Logs: rename identity as identity_name when the value is a string (#33654) * Rename identity as identity_name when is a string The identity field comes in different flavors, depending on the specific log category. If it comes as a string, the pipeline renames it as identity_name to avoid collisions when the value is an object. (cherry picked from commit ea9b0cb3c66bce6c9037dcc5519a6c0f4a4bec9a) # Conflicts: # x-pack/filebeat/module/azure/fields.go * Remove extra entries in changelog * Update fields.go * Remove extra entries in changelog Co-authored-by: Maurizio Branca Co-authored-by: Maurizio Branca --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 10 ++++++ x-pack/filebeat/module/azure/fields.go | 2 +- .../azure/platformlogs/_meta/fields.yml | 4 +++ .../azure/platformlogs/ingest/pipeline.yml | 6 ++++ .../test/platformlogs-identity-raw.log | 1 + ...latformlogs-identity-raw.log-expected.json | 32 +++++++++++++++++++ 7 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log create mode 100644 x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9eb763746a63..5c5b4f0c4c1a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -38,6 +38,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* +- Rename identity as identity_name when the value is a string in Azure Platform Logs. {pull}33654[33654] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index e7cc7cb7215e..a5554e304b39 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3216,6 +3216,16 @@ type: keyword ActivityId +type: keyword + +-- + +*`azure.platformlogs.identity_name`*:: ++ +-- +Identity name + + type: keyword -- diff --git a/x-pack/filebeat/module/azure/fields.go b/x-pack/filebeat/module/azure/fields.go index 0b8794307584..3cbc1684eeab 100644 --- a/x-pack/filebeat/module/azure/fields.go +++ b/x-pack/filebeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded zlib format compressed contents of module/azure. func AssetAzure() string { - return "eJzsXF9v27oVf++nOOhetos0AfaYhwFe2m4B7m2Dxt2rwEjHMheK1CUpZy724QeS+meLlOSYcu6A+qmN7fP78ZDn8PyTP8Az7m+B/KgkvgPQVDO8hfcr8//37wAkMiQKbyEn7wAyVKmkpaaC38Lf3gEA2E/CbyKrmBGwocgydWvf+gCcFNgJNy+9L40wKaqy/otH5qGYvihVPbWfTmjWvt8Ifsb9i5D9v3vFu5ej3hcJ9x8HkKmQEhmJgnjXyfJBaeSE67NRnBgfgEQlKpniQH5/QyakfxvKON6tPuTBYsYWNAHbh+4vrY91vIpYcEO5DWIpxY5mKBcANTJuDIoqyYG2O3T/uxeFj4f85Vha6z4qvRWS/nAmKJ2fiQS66suGA9ktfKrpjuo9E7matJtDd9mR2JCK6cTayS1sCFM4z9g+W8uCjZC1t2rYgKFzPdsGkWuq98k5O9YIGW77MYwXwWebE5tz75fnW2mfRsoILVRCOdWUaMySp31SqYGNjlObQc+87iwWtFjwtIcAVog2jFvUIVX/Pp1AGHyWdkwjpzvkl+Hyj1Go7tqXl6HzOALUkNlUjF2GzecxpFY36RYLcgHV+HEOre76l6CViad/Y6o9b7s3kimqvY8lBSlLyvP6O+9/eX+O9QaXdHDxLOE9VhMAc1yGSkV5CcMIwvTvSe8qIjNZhXEaKmhiMj4Iiw7JhPbtBCqfxnHGtq9PVwqGCVGK5rxArpOxLYWZyjxhFeb1TTCEjsLoqToinuHGXn/H6dGlWHf4x2lBiPLlSZ58BN5Ek739n6HJUlKe0pKwi5N9aJBPo2mYvBXRAfZYyj/FZoLBepD+9wEZ7pB5wZjg+WlIvw5kNSiiROnytR1KNfTXZyzvayMafKKHBOJmqR16MA2SqEyy5zlu5+XlFdPhc1SDGgMmuiu3xUP2S26jP6IxF9Kf+r0K9s4nsbvgjZOMD/rJyB2HLqU5WpricdzoYDeMaI0cTwR+GErtotCM6rOKDydUFwzWoLQwUb4YqzzE36L1FlupIDagt9gZ+zXAXSUlcs32V7Cyq6HKfYazPaiqLIU0efqOsAqvL+o61n2mYfexoOs8ZDDmPkdLOa/C9hZz3uwWfGN3OeFEXlErM1vbWm9Y/lTtzOklmOuGo6MZUdGvIg/JP661JhlVJSPegmUkNqumkFpD+WtvR+dFIlEjpYCzCH2zsq0zNv6KTWsr2JmKyCrQsTqmwkSeu0qrQrmj3pQ4zhHKXZE1BDP0ooGwPwKbLhb0YgQ7YJHgR7ajsyOiUdMRGzIfONOAjHylSTEspkxEAZH0EJTe3i5E5miM17W2xoqUoaLQAsXHtWXVtmSHZch59b8JTwlxi28fx5wlTB36yGQC2X+77eF8PyKJdQil1USZkCyTqHw7HJkM0BJWI2ANp0qhTLrKyGXOzneFsivHTB+hQmR0QzFLumjGa7kwq6Q7s8sArzD2E3TwW72mcITWvOYWjzm+JDaZCR+KJUpbX/AFxmFPcFALcWyc1TyegmVvocivLAsQbB1Ir5F98sU1J47gGyGLegICcyIzynMbg9bI4rXtbFKGrDFaC2YVhJhrQHUk2dZqg93xPvOoR+DRMZjjG2FoWJfnOxkEwOEZuL9wf2BVlnM6A8cbf2maw22fCGgCgyUQ056+hzHmGpSh+YbWNDfMgP87U7p0n22GDdFyLNxcjJknzJ3zj7b8xog2d94fY6SvYXPSSN/P/lZk5J/9rfpW1ERX/rL0qyAfh/Japabll/gTzEGpDewdE1XERsNQXAP0ie+oFHagIuIWBoS2oGaL17TARy3poKF/7tkJCG5VSxiLOQzvkddAPaaE4XdOI6rWL7IBbOqdgzDxnPFzv8xle83OCVDObZwU7Dsbh0j5hRrPBuwD5TFbz3FuyP8O1HfpNu4Ug7E27tl9VQ/4RfqqQ9xZ13QN3xMVnUBIdsToKIgdjI7ObdcPEUfb9ecGJkO4c0ZufFnvn+AREbZal+r25iYTqbouaCqFEht9nYriBvkHUt3kkpTbG1LSm7YNc+P83pG8qb75+T2+oU7M6zunv1cI9x9BYilRmU2pi3ONy2x6fddBcqlEWz4k4cb+nDagn+FHohEIz2wbEP78fX33lwN6L6T3eEyYo+1IxOz6B/SpUM7r+MdtrvvZzGyuz+vWxNLOROnkgNRix94QGetvl+Vi2IHqYR96+XNqSMw6pqTSgotCVCpRe6WxSHhVPI087OaZ8h1wWrVCwQkFJ3TExTBqMlajnEoNAtJISrmzIGYHwAvSmS7P7AMBhCUkTVGpxJvVxqLVwYGD8yfRvdhQ0pwadhJ/r1AFxv0jUPtaA0ENNHawqUoo1yjtfRI+1k9CMCS+GagZfO7NXRDGaMNW8Yw8oUpVKBc0srWBAQczbmUHhGIMFM0gNDpTVEphDprtTNMCE89TbF2WKLwX/ww+Dy2Ku90ph4IyRhUaEwufb0nVc5KhJvT4SYNIivpG1TMEAA5I2KcdEpLnEnMTgCxIx0LBCJSHWFZJs4XekDM+N4dmI7P7IdoBPePAFjrklpBf/vHPVFzgom1/72DWbTtxjYT6b3N65SilkEkqsvFJnMD1PXO15vXJAIEXqG2H4Y4a7Y9b8DmrrRHiTYmF1/vRQk31Vut6ijFGG/Esz+trgwgjiA29Jyleprq/UVj9fQRoyZHDkf2bO3KoZaW8hZcFSK0NVnjCsBdTpaIoGSWDFsAhqXBUdQKpe/c0jLMtoArGsXskC8JJ7r0dl6YYQu6lW4xilnhi+lIwmvoH6BxjIiXxTUzNyb+AUaVBbPrJRBPdN8Cgt0QDkQha0jxH6UbTzQJt9UCV5rv1jTuvVEMqvUWuaeoKD84DL7LC9RbrWmXzFNUhNhCtsSi1re2QrNVBTQkE932pQL0VI2Weo/X1wtippYaaHXM3tFvBEeWOQ7O2K1BVugXiHhwjuUk6DX0T/6ZEoVHYw3p18/DPRxDSzvGgvNkQWQw+tsHMeHnMjlBP0ZAWqVgojl4NVGHBrOgwRcpTUdjUw6ZFy+VD9zWQy78mWFW2VFpzcgXxDR0phMxkVldgHYNObPucTp1Zz95Q83kq0dMUjqS09ZYq2AqWueO7pfnWZP4uBRCb4+PPETPMQG+lqPItEMYOyrdKY6mu7GqbP2lh7CPFsXJueNHTbvtMS39E69HuVsd+uizZ3pDXRkH1Yq4AiTP1u9Wt+4KLNK6M37sREn77vLqFB5QfvNN37W8CMWIfgNoImUjcUXw5uYDSiNqKApNQ4w4mz0g3F65fhHxOmIh5l5hbo5YMjeT2SqA8ZVU7PGykmo1oPl4p4wV5BlQry1GFj0+bAJ5fGDOMe2Zb33Wy/Zk7czTMX8z22lOBGdhDPoPd+btkk2037WO+sFCF0uigiWcMopsvspIVEKVE6n687IXqbd/6r+FBKEWfGLoRdWW8LKPPyPZrSXbIjJUIvi/oD8zuH+qRvCsoiDE8Uane3yq+IQVllMjPaBu47nMvROI932CqDySoSpUDEQzJM2Z3Eu12EnNRU75DpWluD6JabyUSfc81MkZz5CleQY4cJU2vzE1d8WcuXvjnyuD/a/gE+NjOJLu//tycP8rm1KPbF2mK2SerTRaSdhMfzpn1LsVrd+3a0odJa0pRVsxt2xY57EVl8wRX6MuNg6lsxEl4X/ZEe/RVgVZYZUs1HY4V1vO+l1ZbKoVSjZuu08aztEhbaRKVljQdqylP3fRKiQT/o5Gr8JjQkNr/AgAA///ayBE1" + return "eJzsXF+P27gRf8+nGKQv7WGzC/RxHwq4m6Q1cHdZZJ2+ClxpLLNLkTqS8taHfviCpP7ZIiV5TTlXIH5K1vb8fuRwhvNP/gAveLgH8nsl8R2ApprhPbxfmf+/fwcgkSFReA85eQeQoUolLTUV/B7+9g4AwH4SfhFZxYyALUWWqXv71gfgpMBOuHnpQ2mESVGV9V88Mo/F9EWp6rn9dEKz9v1G8AseXoXs/90r3r0c9b5IWH8cQKZCSmQkCuJDJ8sHpZETri9GcWJ8ABKVqGSKA/l9hUxI/zqUcaqtPuTRYsYWNAHbh+4vrY91uopYcEO5DWIpxZ5mKBcANTLuDIoqydFud+j+d68KHw/511Nprfuo9E5I+rszQen8TCTQVV82HMlu4VNN91QfmMjVpN0cu8uOxJZUTCfWTu5hS5jCecb22VoWbIWsvVXDBgyd29k2iFxTfUgu0VgjZKj2Uxgvgs82J5Sz9svzrbRPI2WEFiqhnGpKNGbJ8yGp1MBGx6nNoGdeDxYLWix4PkAAK0Qbxi3qmKpfT2cQBp+lndLI6R75dbj8YxSqu/bldeg8jQA1ZLYVY9dh83kMqd2bdIcFucLW+HGOre72p6CVied/Y6o9b7s3kimqvY8lBSlLyvP6O+9/en+J9QaXdHTxLOE9VhMAc1yGSkV5DcMIwvTvSe8qIjNZhXEaKmhiMj4Ii47JhPR2BpVP4zhj6uvTlYJhQpSiOS+Q62RMpTBzM89YhXl9FQyhozB6qk6IZ7i1199penQt1h3+aVoQonx9kmcfge+ykz39z9jJUlKe0pKwq5N9bJDPo2mYfC+iA+yxlH+KzQSDzSD97wMy3CPzgjHB8/OQfh7IalBEidLla3uUauivL1jel0Y0+EQPCcTNUjv0YBokUZlkz3PcLsvLK6bD56gGNQZMdFdui4fsl9xGf0RjLqQ/9XsT7INPYnfBGycZH/STkTsOXUpztDTF07jRwW4Z0Ro5ngn8OJTaRaEZ1RcVH86oLhisQWlhonwxVnmIr6LNDlupILagd9gZ+y3AQyUlcs0ON7Cyq6HKfYazA6iqLIU0efqesApvr+o6Nn2mYfexoOs8ZjDmPkdLOW/C9hZzvtst+J3d5YQTeUOtzKi2td6w/KnamduXYK4bjo5mREU/izwk/7TWmmRUlYx4C5aR2KyaQmoN5a+9nZwXiUSNlAIuIvTVyrbO2PgrNr1bwc5URFaBjtUpFSby3FVaFco99abEcY5Q7oqsIZihFw2E/RHYdLGgFyPYAYsEP6KOzo6IRk1HbMh84EIDMvKVJsWwmDIRBUTah6D09nYhMkdjvK61NVakDBWFFig+biyrtiU7LEPOq/9NeEqIW3z7OOYsYerQRyYTyP5btYfz/YgkNiGUdifKhGSZROXTcGQyQEtYjYA1nCqFMukqI9c5O98Uyq4cM32ECpHRLcUs6aIZr+XCrJLuzC4DvMHYz9iDX+o1hSO05jW3eMzxNbHJTPhQLFHa+hVfYRz2DAe1EMfGWc3jKVj2PTbyC8sCBFsH0mtkn31xzYkj+FbIop6AwJzIjPLcxqA1snhrO5uUIWuM1oJZBSHmGlAdSba12mB3vM886hF4cgzm+EYYGtb1+U4GAXB8BtZX7g+synJOZ+BU8demOVT7REATGCyBmPb0LYwx16AMze9oTXPDDPi/M6Vr99lm2BAtx8LNxZh5wtw5/2jLb4xoc+f9MUb6GjZnjfT96G9FRv7R36pvRU105S9LvwnyaSiv3dS0/DX+BHNQagP7wEQVsdEwFNcAfeJ7KoUdqIiowoDQFtSoeEMLfNKSDhr6l56dgOB2awljMYfhPfIaqKeUMPzGacSt9YtsAJt65yBMvGT83C8z6tz2fweo68lJ7mWa3M77UM5tgBZseBtPTPmVOt4G7APlMXveca7modqu3T+eYjDWP764oesBv0pDd4g7Kz6o4XuiohMIyY4YlgWxg2HZpXMCYee0SBg2hLtk1seXbv8JnhBhp3Wp7u/uMpGq24KmUiix1bepKO6QfyDVXS5JubsjJb1r+z93zu+dyJtq2F/eXBzuiXl94/S3CmH9ESSWEpVRSl0VbFxm02S8DZJLJdq6JQlPFMzpP/oZfiQagfDM9h/hz982D385ovdKes/lhDnaVkjMcYPAfiqU80YN4nb1/WxmdvXntYli7c5EzeaI1GLH3hAZa6yX5WLYgbJlH3r5c2pIzDqmpNKCi0JUKlEHpbFIeFU8jzxl5xkvHnBatULBCQUndMTFMGpSZbM5lRoEpJE25cGCGA2AF6QzXZ7ZJxEIS0iaolKJN52ORauDAwfnz957saGkOTXsJP5WoQo8ZxCB2pcaCGqgsYNNVUK5Rmnvk/CxfhaCIfENX83gszZ3QRijDVvFC/KEKlWhXNDINgYGHMy4lR0RijHJNIPQ6DBTKYU5aLYlTgtMPI/PdVmi8F78M/g8tijudqccCsoYVWhMLHy+JVUvSYaa0NNHHCJt1FeqXiAAcETCPmaRkDyXmJsAZEE6FgpGoDzEskoaFXpDzvjcHJqNzNZDtCN6xoEtdMgtIb/809/HuMJF2/7QwqzbduIaCTX+5jTpUUohk1Rk4yNAget75mrN65MBAi9Q24fDPTW7P27Bl6y2Rog3nhZe70cLNdXUrespxhhtxLM8ry8NIowgNvSepXidajtHYfX3EaAlZx1H9Dd31lHLSnkLLwuQ2his8GhjL6ZKRVEySga9h2NS4ajqDFJr9xiOsy2gCsaxeyQLwknuvR2XphhC7qVbjGKWeGL6UjCa+if3HGMiJfGNas3Jv4BRpUFs+8lEE903wKB3RAORCFrSPEfpZuLNAm31QJXmu/WNO69UQyq9Q65p6goPzgMvssLNDutaZfP41jE2EK2xKLWt7ZCs3YOaEgju+1KBeidGyjwn6+uFsVNLDTU75iq0W8EJ5Y5Ds7YbUFW6A+KeWCO5SToNfRP/pkSh2bDHzeru8Z9PIKQdIEJ5tyWyGHxsi5nx8pidoJ6zQ1qkYqE4ejXYCgtmRYcpUp6KwqYeNi1aLh9a10Au/5pgVdlSac3JFcS3dKQQMpNZXYF1DDqx7QNCdWY9W6Hm81SipxsdadM2O6pgJ1jmju+O5juT+bsUQGxPjz9HzDADvZOiyndAGDsq3yqNpbqxq23+pIWxjxTHyrnhRU+77Qst/QmtR3tYnfrpsmQHQ16bDaoXcwNInKk/rO7dF1ykcWP83p2Q8Mvn1T08ovzgHftrf4yIEfvk1VbIROKe4uvZBZRG1E4UmIQadzB5RrqBdP0q5EvCRMy7xNwatWRoJLdXAuUpq9qpZSPVKKL5eKWMF+QZUK0sRxU+Pm0CeHlhzDDumW1918n29/XM0TB/Meq1pwIzsId8BrvLtWSTbTdmZL6wUIXS7EETzxhEN9hkJSsgSonU/WraK9W7vvXfwqNQij4zdLPxynhZRl+QHTaS7JEZKxH8UNDfMVs/1rOAN1AQY3iiUr2/VXxLCsookZ/RNnDd516JxDXfYqqPJKhKlQMRDMkLZg8SrTqJuagp36PSNLcHUW12Eolec42M0Rx5ijeQI0dJ0xtzU1f8hYtX/rky+P8aPno+pplk/9cfyvmjKKeeGb9KU8w+0m2ykLSb+HDOrHcp3rpr15Y+TFpTirJiTm075HAQlc0TXKEvNw6mshEn4X3ZE+3RNwVa4S1bqulwumE973vtbUulUKpx03XaeNEu0laaRKUlTcdqylM3vVIiwf9o5Co8JjSk9r8AAAD//wxeL7U=" } diff --git a/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml b/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml index 27aceeba5560..e512ce5ef071 100644 --- a/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml +++ b/x-pack/filebeat/module/azure/platformlogs/_meta/fields.yml @@ -57,6 +57,10 @@ type: keyword description: > ActivityId + - name: identity_name + type: keyword + description: | + Identity name - name: properties type: flattened description: > diff --git a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml index 3ddb92eb6de2..c183126cc6ac 100644 --- a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml @@ -15,6 +15,12 @@ processors: - json: field: message target_field: azure.platformlogs +- rename: + field: azure.platformlogs.identity + target_field: azure.platformlogs.identity_name + ignore_missing: true + description: 'Rename the field to `identity_name` to avoid conflicts with the `identity` containing a JSON object.' + if: "ctx.azure?.platformlogs?.identity instanceof String" - date: field: azure.platformlogs.time target_field: '@timestamp' diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log new file mode 100644 index 000000000000..72541102c819 --- /dev/null +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log @@ -0,0 +1 @@ +{"Cloud":"AzureCloud","Environment":"prod","category":"kube-audit","ccpNamespace":"5e4bf4baee195b00017cdbfa","identity":"Michael Dell","operationName":"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read","properties":{"log":"{\"kind\":\"Event\"}","pod":"kube-apiserver-666bd4b459-hjgdc"},"resourceId":"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE","time":"2020-11-09T10:57:31.0000000Z"} diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log-expected.json new file mode 100644 index 000000000000..3a68b737d29a --- /dev/null +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-identity-raw.log-expected.json @@ -0,0 +1,32 @@ +[ + { + "@timestamp": "2020-11-09T10:57:31.000Z", + "azure.platformlogs.Cloud": "AzureCloud", + "azure.platformlogs.Environment": "prod", + "azure.platformlogs.category": "kube-audit", + "azure.platformlogs.ccpNamespace": "5e4bf4baee195b00017cdbfa", + "azure.platformlogs.event_category": "Administrative", + "azure.platformlogs.identity_name": "Michael Dell", + "azure.platformlogs.operation_name": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", + "azure.platformlogs.properties.log.kind": "Event", + "azure.platformlogs.properties.pod": "kube-apiserver-666bd4b459-hjgdc", + "azure.resource.group": "OBS-INFRASTRUCTURE", + "azure.resource.id": "/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE", + "azure.resource.name": "OBSKUBE", + "azure.resource.provider": "MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS", + "azure.subscription_id": "70BD6E77-4B1E-4835-8896-DB77B8EEF364", + "cloud.provider": "azure", + "event.action": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read", + "event.dataset": "azure.platformlogs", + "event.kind": "event", + "event.module": "azure", + "event.original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"identity\":\"Michael Dell\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", + "fileset.name": "platformlogs", + "input.type": "log", + "log.offset": 0, + "service.type": "azure", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file