Add OTel to ECS adapter for Azure Logs integration

Author: zmoog

packages/otel_ecs_adapter/LICENSE.txt

@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.

packages/otel_ecs_adapter/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.2.0"
+  changes:
+    - description: Introduce OTel ECS adapter to map OTel attributes to ECS fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/999999

packages/otel_ecs_adapter/data_stream/events/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,20 @@
+---
+description: Pipeline for processing Azure Events logs
+processors:
+
+  # ------------------------------------------------------
+  # Fallback pipeline for processing logs not supported by
+  # the `azurelogs` translator.
+  # ------------------------------------------------------
+  - pipeline:
+      if: "ctx.body?.structured != null"
+      name: '{{ IngestPipeline "fallback" }}'
+      description: "Fallback pipeline for processing logs not supported by the `azurelogs` translator"
+
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: '{{{ _ingest.on_failure_message }}}'

packages/otel_ecs_adapter/data_stream/events/elasticsearch/ingest_pipeline/fallback.yml

@@ -0,0 +1,103 @@
+---
+description: | 
+  This pipelines handles log events not fully supported by the `azurelogs`
+  translator.
+
+  The pipeline assumes that log events contain the `body.structured` field
+  are not fully supported by the `azurelogs` translator.
+
+  The pipeline adapts the unsupported log events to look like the native
+  Azure resource logs, so they can be rerouted to the Azure Logs integration.
+
+processors:
+
+  # ------------------------------------------------------
+  # Expand all fields into objects.
+  # ------------------------------------------------------
+  - dot_expander:
+      path: resource.attributes
+      field: "*"
+      if: ctx.resource?.attributes != null
+
+  - dot_expander:
+      path: body.structured
+      field: "*"
+      if: ctx.body?.structured != null
+
+  # ------------------------------------------------------
+  # Rebuild the `time` and `resourceId` fields
+  # ------------------------------------------------------
+  - set:
+      field: body.structured.time
+      copy_from: "@timestamp"
+      if: ctx.body?.structured != null
+
+  - rename:
+      ignore_missing: true
+      field: resource.attributes.cloud.resource_id
+      target_field: body.structured.resourceId
+
+  # ------------------------------------------------------
+  # Rebuild the OTel specific fields to the native Azure
+  # resource logs schema.
+  # ------------------------------------------------------
+  - rename:
+      ignore_missing: true
+      field: body.structured.operation.name
+      target_field: body.structured.operationName
+  - rename:
+      ignore_missing: true
+      field: body.structured.operation.version
+      target_field: body.structured.operationVersion
+  - rename:
+      ignore_missing: true
+      field: body.structured.correlation.id
+      target_field: body.structured.correlationId
+  - rename:
+      ignore_missing: true
+      field: body.structured.result.description
+      target_field: body.structured.resultDescription
+  - rename:
+      ignore_missing: true
+      field: body.structured.result.signature
+      target_field: body.structured.resultSignature
+  - rename:
+      ignore_missing: true
+      field: body.structured.result.type
+      target_field: body.structured.resultType
+  - rename:
+      ignore_missing: true
+      field: body.structured.tenant.id
+      target_field: body.structured.tenantId
+  - rename:
+      ignore_missing: true
+      field: body.structured.cloud.region
+      target_field: body.structured.location
+  - rename:
+      ignore_missing: true
+      field: body.structured.network.peer.address
+      target_field: body.structured.callerIpAddress
+  
+  # ------------------------------------------------------
+  # Clean up the empty OTel specific fields after renaming.
+  # ------------------------------------------------------
+  - remove:
+      field:
+        - body.structured.network
+        - body.structured.correlation
+        - body.structured.result
+        - body.structured.operation
+        - body.structured.tenant
+      ignore_missing: true
+      description: Clean up the empty OTel specific fields after renaming.
+  - remove:
+      field:
+        - resource.attributes
+      ignore_missing: true
+      description: Removes the OTel specific fields that are not supported by the ECS schema.
+
+on_failure:
+  - append:
+      field: error.message
+      value:
+        - "{{ _ingest.on_failure_message }} {{ _ingest.on_failure_processor_type }}"

packages/otel_ecs_adapter/data_stream/events/fields/base-fields.yml

@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.

packages/otel_ecs_adapter/data_stream/events/manifest.yml

@@ -0,0 +1,6 @@
+title: "OTel to ECS"
+type: logs
+dataset: azure.resourcelogs.otel
+elasticsearch:
+  dynamic_dataset: true
+  dynamic_namespace: true

packages/otel_ecs_adapter/data_stream/events/routing_rules.yml

@@ -0,0 +1,7 @@
+- source_dataset: azure.resourcelogs.otel
+  rules:
+    - target_dataset: azure.events
+      if: ctx.body?.structured != null
+      namespace:
+        - "{{data_stream.namespace}}"
+        - default

packages/otel_ecs_adapter/docs/README.md

@@ -0,0 +1 @@
+# OTel To ECS Adapter

packages/otel_ecs_adapter/img/otel_ecs.svg

@@ -0,0 +1,21 @@
+format_version: 3.4.1
+name: otel_ecs_adapter
+title: "OTel To ECS Adapter"
+version: 0.2.0
+description: "Adapter to convert OTel data to ECS data"
+type: integration
+categories:
+  - cloud
+  - azure
+  - observability
+conditions:
+  kibana:
+    version: "^8.15.1 || ^9.0.0"
+owner:
+  github: elastic/obs-ds-hosted-services
+  type: elastic
+icons:
+  - src: /img/otel_ecs.svg
+    title: OTel To ECS Adapter logo
+    size: 64x64
+    type: image/svg+xml