Remove attributes from body and add them as log record attributes for FrontDoorAccessLog log category

[constanca-m]

Component(s)

pkg/translator/azurelogs

Is your feature request related to a problem? Please describe.

Parent issue is #39186.

Describe the solution you'd like

When the record attributes are part of the body, it is not possible to query the record by these attributes. To achieve that, we need to add explicit support for the current categories.

This issue approaches the category FrontDoorAccessLog (the goal is to handle all the other categories currently upstream as well).

This is an example of a log of this category.

{
   "time":"2025-04-24T13:14:28.0000000Z",
   "resourceId":"/SUBSCRIPTIONS/OPENTELEMETRY-AZURE-SUB/RESOURCEGROUPS/OPENTELEMETRY-FRONTDOOR/PROVIDERS/MICROSOFT.CDN/PROFILES/OPENTELEMETRY-FRONTDOOR-PROFILE",
   "category":"FrontDoorAccessLog",
   "operationName":"Microsoft.Cdn/Profiles/AccessLog/Write",
   "properties":{
      "trackingReference":"20250424T131428Z-17587c8c466d76czhC1PARprs40000000q8g00000000d67w",
      "httpMethod":"GET",
      "httpVersion":"2.0.0.0",
      "requestUri":"https://opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net:443/",
      "sni":"opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net",
      "requestBytes":"60",
      "responseBytes":"1624",
      "userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0",
      "clientIp":"2001:1c00:3280:6700:fbfa:bf04:1296:ebfc",
      "clientPort":"55262",
      "socketIp":"2001:1c00:3280:6700:fbfa:bf04:1296:ebfc",
      "timeToFirstByte":"0.035",
      "timeTaken":"0.035",
      "requestProtocol":"HTTPS",
      "securityProtocol":"TLS 1.3",
      "rulesEngineMatchNames":[
         
      ],
      "httpStatusCode":"200",
      "httpStatusDetails":"200",
      "pop":"PAR",
      "cacheStatus":"CONFIG_NOCACHE",
      "errorInfo":"NoError",
      "ErrorInfo":"NoError",
      "result":"N/A",
      "endpoint":"opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net",
      "routingRuleName":"opentelemetry-frontdoor-route",
      "hostName":"opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net",
      "originUrl":"https://opentelemetry-app.azurewebsites.net:443/",
      "originIp":"23.100.1.29:443",
      "originName":"opentelemetry-app.azurewebsites.net:443",
      "originCryptProtocol":"N/A",
      "referer":"",
      "clientCountry":"Netherlands",
      "domain":"6d63ff6a-6a29-4702-bcc0-533a432cc7fa:443",
      "securityCipher":"TLS_AES_256_GCM_SHA384",
      "securityCurves":"0x11ec:X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101"
   }
}

The proposed log attributes are:

Original Field (JSON)	Log Record Attribute
trackingReference	azure.ref
httpMethod	http.request.method
httpVersion	network.protocol.version
requestUri	url.orginal Also parses it to get fields: 1.url.scheme 2.url.fragment 3.url.query 4.url.path 5.url.port
sni	tls.server.name
requestBytes	http.request.size
responseBytes	http.response.size
userAgent	user_agent.original
clientIp	client.address
clientPort	client.port
socketIp	source.address
timeToFirstByte	azure.time_to_first_byte
timeTaken	duration
requestProtocol	network.protocol.name
securityProtocol	1. tls.protocol.name 2. tls.protocol.version
httpStatusCode	http.response.status_code
pop	azure.pop
cacheStatus	azure.cache_status
errorInfo	exception.type
ErrorInfo	Same as errorInfo
endpoint	Either: 1. destination.address if it is equal to hostName 2. network.peer.address otherwise.
hostName	1. destination.address 2. destination.port, if any
securityCurves	tls.curve
securityCipher	tls.cipher
OriginIP	Split in: 1.server.address 2.server.port

This means that the example of the log I put above, will end up as:

resourceLogs:
  - resource:
      attributes:
        - key: cloud.provider
          value:
            stringValue: azure
        - key: cloud.resource_id
          value:
            stringValue: /SUBSCRIPTIONS/OPENTELEMETRY-AZURE-SUB/RESOURCEGROUPS/OPENTELEMETRY-FRONTDOOR/PROVIDERS/MICROSOFT.CDN/PROFILES/OPENTELEMETRY-FRONTDOOR-PROFILE
        - key: event.name
          value:
            stringValue: az.resource.log
    scopeLogs:
      - logRecords:
          - attributes:
              - key: http.request.size
                value:
                  intValue: "60"
              - key: http.response.size
                value:
                  intValue: "60"
              - key: client.port
                value:
                  intValue: "55262"
              - key: http.response.status_code
                value:
                  intValue: "200"
              - key: azure.time_to_first_byte
                value:
                  intValue: "35"
              - key: duration
                value:
                  intValue: "35"
              - key: url.original
                value:
                  stringValue: https://opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net:443/
              - key: url.port
                value:
                  intValue: "443"
              - key: url.scheme
                value:
                  stringValue: https
              - key: url.path
                value:
                  stringValue: /
              - key: tls.protocol.name
                value:
                  stringValue: TLS
              - key: tls.protocol.version
                value:
                  stringValue: "1.3"
              - key: destination.address
                value:
                  stringValue: opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net
              - key: server.address
                value:
                  stringValue: 23.100.1.29
              - key: server.port
                value:
                  intValue: "443"
              - key: azure.ref
                value:
                  stringValue: 20250424T131428Z-17587c8c466d76czhC1PARprs40000000q8g00000000d67w
              - key: http.request.method
                value:
                  stringValue: GET
              - key: network.protocol.version
                value:
                  stringValue: 2.0.0.0
              - key: network.protocol.name
                value:
                  stringValue: HTTPS
              - key: tls.server.name
                value:
                  stringValue: opentelemetry-test-fmagg0exgdcfhefq.z01.azurefd.net
              - key: user_agent.original
                value:
                  stringValue: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0
              - key: client.address
                value:
                  stringValue: 2001:1c00:3280:6700:fbfa:bf04:1296:ebfc
              - key: source.address
                value:
                  stringValue: 2001:1c00:3280:6700:fbfa:bf04:1296:ebfc
              - key: azure.pop
                value:
                  stringValue: PAR
              - key: azure.cache_status
                value:
                  stringValue: CONFIG_NOCACHE
              - key: tls.curve
                value:
                  stringValue: 0x11ec:X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101
              - key: tls.cipher
                value:
                  stringValue: TLS_AES_256_GCM_SHA384
              - key: azure.category
                value:
                  stringValue: FrontDoorAccessLog
              - key: azure.operation.name
                value:
                  stringValue: Microsoft.Cdn/Profiles/AccessLog/Write
            body: {}
            spanId: ""
            timeUnixNano: "1745500468000000000"
            traceId: ""
        scope:
          name: otelcol/azureresourcelogs
          version: 1.2.3

Describe alternatives you've considered

N/A

Additional context

N/A

[constanca-m]

/labels -needs-triage

[github-actions]

Pinging code owners:

• pkg/translator/azurelogs: @atoulme @cparkins @MikeGoldsmith @constanca-m

See Adding Labels via Comments if you do not have permissions to add labels yourself.