[extension/azure_encoding] Add support for Administrative, Alert, Autoscale, Policy, Security, ServiceHealth, and ResourceHealth log categories.

.chloggen/zmoog_azureencodingextension_port-activitylogs-from-translator.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog)
+component: extension/azure_encoding
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for Administrative, Alert, Autoscale, Policy, Security, ServiceHealth, and ResourceHealth log categories.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [45699]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]

extension/encoding/azureencodingextension/internal/unmarshaler/logs/README.md

@@ -41,10 +41,50 @@ in OpenTelemetry Collector pipeline (for example, using `transformprocessor`) or
 | `durationMs`          | `azure.operation.duration`    | Log Attribute |
 | `callerIpAddress`     | `network.peer.address`        | Log Attribute |
 | `correlationId`       | `azure.correlation_id`        | Log Attribute |
-| `identity`            | `azure.identity`              | Log Attribute |
+| `identity`            | see [Identity Field](#identity-field) below | Log Attribute |
 | `Level`               | `log.SeverityNumber`          | Log |
 | `properties`          | see mapping for each Category below | mixed |
 
+### Identity Field
+
+The `identity` field contains authorization and claims information. Rather than storing it as a nested structure,
+specific fields are extracted into flat, semantically meaningful attributes. Only known useful fields are extracted
+to minimize the risk of accidentally including sensitive data.
+
+#### Authorization Fields
+
+| Azure identity Field | OpenTelemetry | OpenTelemetry Scope |
+|---------------------|---------------|---------------------|
+| `identity.authorization.scope` | `azure.identity.authorization.scope` | Log Attribute |
+| `identity.authorization.action` | `azure.identity.authorization.action` | Log Attribute |
+| `identity.authorization.evidence.role` | `azure.identity.authorization.evidence.role` | Log Attribute |
+| `identity.authorization.evidence.roleAssignmentScope` | `azure.identity.authorization.evidence.role.assignment.scope` | Log Attribute |
+| `identity.authorization.evidence.roleAssignmentId` | `azure.identity.authorization.evidence.role.assignment.id` | Log Attribute |
+| `identity.authorization.evidence.roleDefinitionId` | `azure.identity.authorization.evidence.role.definition.id` | Log Attribute |
+| `identity.authorization.evidence.principalId` | `azure.identity.authorization.evidence.principal.id` | Log Attribute |
+| `identity.authorization.evidence.principalType` | `azure.identity.authorization.evidence.principal.type` | Log Attribute |
+
+#### Claims Fields
+
+Unix timestamps (`exp`, `nbf`, `iat`) are converted to RFC3339 format.
+
+| Azure identity.claims Field | OpenTelemetry | OpenTelemetry Scope |
+|----------------------------|---------------|---------------------|
+| `iss` | `azure.identity.issuer` | Log Attribute |
+| `sub` | `azure.identity.subject` | Log Attribute |
+| `aud` | `azure.identity.audience` | Log Attribute |
+| `exp` | `azure.identity.not_after` | Log Attribute |
+| `nbf` | `azure.identity.not_before` | Log Attribute |
+| `iat` | `azure.identity.created` | Log Attribute |
+| `http://schemas.microsoft.com/identity/claims/scope` | `azure.identity.scope` | Log Attribute |
+| `idtyp` | `azure.identity.type` | Log Attribute |
+| `appid` | `azure.identity.application.id` | Log Attribute |
+| `http://schemas.microsoft.com/claims/authnmethodsreferences` | `azure.identity.auth.methods.references` | Log Attribute |
+| `http://schemas.microsoft.com/identity/claims/identityprovider` | `azure.identity.provider` | Log Attribute |
+| `http://schemas.microsoft.com/identity/claims/objectidentifier` | `azure.identity.identifier.object` | Log Attribute |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier` | `user.name` | Log Attribute |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | `user.email` | Log Attribute |
+
 ## Application Gateway
 
 ### Application Gateway Access Logs (both v1 and v2)
@@ -510,18 +550,6 @@ in OpenTelemetry Collector pipeline (for example, using `transformprocessor`) or
 | `roleInstance`            | `service.instance.id`             | Resource Attribute |
 | -                         | `faas.invoked_provider`=`azure`   | Log Attribute |
 
-## Recommendation Logs
-
-| Azure "properties" Field      | OpenTelemetry                         | OpenTelemetry Scope |
-|-------------------------------|---------------------------------------|---------------------|
-| `recommendationSchemaVersion` | `azure.recommendation.schema_version` | Log Attribute |
-| `recommendationCategory`      | `azure.recommendation.category`       | Log Attribute |
-| `recommendationImpact`        | `azure.recommendation.impact`         | Log Attribute |
-| `recommendationName`          | `azure.recommendation.name`           | Log Attribute |
-| `recommendationResourceLink`  | `azure.recommendation.link`           | Log Attribute |
-| `recommendationType`          | `azure.recommendation.type`           | Log Attribute |
-| `recommendationRisk`          | `azure.recommendation.risk`           | Log Attribute |
-
 ## Storage Blob Logs (StorageRead, StorageWrite, StorageDelete)
 
 | Azure "properties" Field  | OpenTelemetry                                 | OpenTelemetry Scope |
@@ -543,3 +571,112 @@ in OpenTelemetry Collector pipeline (for example, using `transformprocessor`) or
 | `tlsVersion`              | `tls.protocol.name` + `tls.protocol.version`. If unparsable - `tls.protocol.original` | Log Attribute |
 | `objectKey`               | `azure.storage.object.key`                    | Log Attribute |
 | `sourceAccessTier`        | `azure.storage.source.access_tier`            | Log Attribute |
+
+## Activity Logs
+
+Activity Logs are a type of Azure platform log that provides insight into subscription-level events. The following categories are supported:
+
+### Administrative
+
+| Azure "properties" Field  | OpenTelemetry                       | OpenTelemetry Scope |
+|---------------------------|-------------------------------------|---------------------|
+| `entity`                  | `azure.administrative.entity`       | Log Attribute |
+| `message`                 | `azure.administrative.message`      | Log Attribute |
+| `hierarchy`               | `azure.administrative.hierarchy`    | Log Attribute |
+
+### Alert
+
+| Azure "properties" Field  | OpenTelemetry                       | OpenTelemetry Scope |
+|---------------------------|-------------------------------------|---------------------|
+| `webHookUri`              | `azure.alert.webhook.uri`           | Log Attribute |
+| `RuleUri`                 | `azure.alert.rule.uri`              | Log Attribute |
+| `RuleName`                | `azure.alert.rule.name`             | Log Attribute |
+| `RuleDescription`         | `azure.alert.rule.description`      | Log Attribute |
+| `Threshold`               | `azure.alert.threshold`             | Log Attribute |
+| `WindowSizeInMinutes`     | `azure.alert.window_size_minutes`   | Log Attribute |
+| `Aggregation`             | `azure.alert.aggregation`           | Log Attribute |
+| `Operator`                | `azure.alert.operator`              | Log Attribute |
+| `MetricName`              | `azure.alert.metric.name`           | Log Attribute |
+| `MetricUnit`              | `azure.alert.metric.unit`           | Log Attribute |
+
+### Autoscale
+
+| Azure "properties" Field  | OpenTelemetry                               | OpenTelemetry Scope |
+|---------------------------|---------------------------------------------|---------------------|
+| `Description`             | `azure.autoscale.description`               | Log Attribute |
+| `ResourceName`            | `azure.autoscale.resource.name`             | Log Attribute |
+| `OldInstancesCount`       | `azure.autoscale.instances.previous_count`  | Log Attribute |
+| `NewInstancesCount`       | `azure.autoscale.instances.count`           | Log Attribute |
+| `LastScaleActionTime`     | `azure.autoscale.resource.last_scale`       | Log Attribute |
+
+### Security
+
+| Azure "properties" Field  | OpenTelemetry                       | OpenTelemetry Scope |
+|---------------------------|-------------------------------------|---------------------|
+| `commandLine`             | `process.command_line`              | Log Attribute |
+| `processName`             | `process.executable.path`           | Log Attribute |
+| `userName`                | `process.owner`                     | Log Attribute |
+| `UserSID`                 | `enduser.id`                        | Log Attribute |
+| `processId`               | `process.pid`                       | Log Attribute |
+| `parentProcess id`        | `process.parent_pid`                | Log Attribute |
+| `accountLogonId`          | `azure.security.account_logon_id`   | Log Attribute |
+| `domainName`              | `azure.security.domain_name`        | Log Attribute |
+| `ActionTaken`             | `azure.security.action_taken`       | Log Attribute |
+| `Severity`                | `azure.security.severity`           | Log Attribute |
+
+### Policy
+
+| Azure "properties" Field  | OpenTelemetry                       | OpenTelemetry Scope |
+|---------------------------|-------------------------------------|---------------------|
+| `isComplianceCheck`       | `azure.policy.compliance_check`     | Log Attribute |
+| `resourceLocation`        | `azure.location`                    | Log Attribute |
+| `ancestors`               | `azure.policy.ancestors`            | Log Attribute |
+| `hierarchy`               | `azure.policy.hierarchy`            | Log Attribute |
+| `policies`                | `azure.policy.policies` (parsed as structured array) | Log Attribute |
+
+### Recommendation
+
+| Azure "properties" Field      | OpenTelemetry                         | OpenTelemetry Scope |
+|-------------------------------|---------------------------------------|---------------------|
+| `recommendationSchemaVersion` | `azure.recommendation.schema_version` | Log Attribute |
+| `recommendationCategory`      | `azure.recommendation.category`       | Log Attribute |
+| `recommendationImpact`        | `azure.recommendation.impact`         | Log Attribute |
+| `recommendationName`          | `azure.recommendation.name`           | Log Attribute |
+| `recommendationResourceLink`  | `azure.recommendation.link`           | Log Attribute |
+| `recommendationType`          | `azure.recommendation.type`           | Log Attribute |
+| `recommendationRisk`          | `azure.recommendation.risk`           | Log Attribute |
+
+### Service Health
+
+| Azure "properties" Field  | OpenTelemetry                               | OpenTelemetry Scope |
+|---------------------------|---------------------------------------------|---------------------|
+| `title`                   | `azure.servicehealth.title`                 | Log Attribute |
+| `service`                 | `azure.servicehealth.service`               | Log Attribute |
+| `region`                  | `azure.servicehealth.region`                | Log Attribute |
+| `communication`           | `azure.servicehealth.communication.body`    | Log Attribute |
+| `communicationId`         | `azure.servicehealth.communication.id`      | Log Attribute |
+| `incidentType`            | `azure.servicehealth.incident.type`         | Log Attribute |
+| `trackingId`              | `azure.servicehealth.tracking.id`           | Log Attribute |
+| `impactStartTime`         | `azure.servicehealth.impact.start`          | Log Attribute |
+| `impactMitigationTime`    | `azure.servicehealth.impact.mitigation`     | Log Attribute |
+| `impactedServices`        | `azure.servicehealth.impact.services` (parsed as structured array) | Log Attribute |
+| `impactType`              | `azure.servicehealth.impact.type`           | Log Attribute |
+| `impactCategory`          | `azure.servicehealth.impact.category`       | Log Attribute |
+| `defaultLanguageTitle`    | `azure.servicehealth.default_language.title`   | Log Attribute |
+| `defaultLanguageContent`  | `azure.servicehealth.default_language.content` | Log Attribute |
+| `stage`                   | `azure.servicehealth.state`                 | Log Attribute |
+| `maintenanceId`           | `azure.servicehealth.maintenance.id`        | Log Attribute |
+| `maintenanceType`         | `azure.servicehealth.maintenance.type`      | Log Attribute |
+| `isHIR`                   | `azure.servicehealth.is_hir`                | Log Attribute |
+| `IsSynthetic`             | `azure.servicehealth.is_synthetic`          | Log Attribute |
+
+### Resource Health
+
+| Azure "properties" Field  | OpenTelemetry                               | OpenTelemetry Scope |
+|---------------------------|---------------------------------------------|---------------------|
+| `title`                   | `azure.resourcehealth.title`                | Log Attribute |
+| `details`                 | `azure.resourcehealth.details`              | Log Attribute |
+| `currentHealthStatus`     | `azure.resourcehealth.state`                | Log Attribute |
+| `previousHealthStatus`    | `azure.resourcehealth.previous_state`       | Log Attribute |
+| `type`                    | `azure.resourcehealth.type`                 | Log Attribute |
+| `cause`                   | `azure.resourcehealth.cause`                | Log Attribute |