Issue with Log Filtering in ContainerLogV2 using Data Collection Rule

Masdieu, Melvin 20

Hello,

I am experiencing an issue with the following configuration of my Data Collection Rule (DCR):

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "dataCollectionRules_name": {
            "defaultValue": "dcr-integration",
            "type": "String"
        },
        "logAnalyticsWorkspaceId": {
            "defaultValue": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/my-resource-group/providers/microsoft.operationalinsights/workspaces/my-log-workspace",
            "type": "String"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Insights/dataCollectionRules",
            "apiVersion": "2023-03-11",
            "name": "[parameters('dataCollectionRules_name')]",
            "location": "francecentral",
            "kind": "WorkspaceTransforms",
            "properties": {
                "dataSources": {},
                "destinations": {
                    "logAnalytics": [
                        {
                            "workspaceResourceId": "[parameters('logAnalyticsWorkspaceId')]",
                            "name": "log-destination"
                        }
                    ]
                },
                "dataFlows": [
                    {
                        "streams": [
                            "Microsoft-Table-ContainerLogV2"
                        ],
                        "destinations": [
                            "log-destination"
                        ],
                        "transformKql": "source\n| where tostring(LogMessage) !contains \"Picked up _JAVA_OPTIONS\"\n| where tostring(LogMessage) !contains \"Spring Boot\"\n"
                    }
                ]
            }
        }
    ]
}

With this configuration, I expect logs containing "Spring Boot" or "_JAVA_OPTIONS" to be filtered out and not appear in the ContainerLogV2 table. However, these logs are still being ingested.

I also tried modifying my DCR to use the Microsoft-ContainerLogV2 table instead, but this did not change anything.

My issue is simple: logs from my AKS cluster are being sent to ContainerLogV2, and I want to filter out specific messages so they are no longer collected.

Could you help me understand why these filters are not working and how I can correctly apply them?

Thank you in advance for your support.

Best regards, Melvin

Suresh Estharakula 155 Microsoft External Staff

Hi Masdieu, Melvin,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Just checking in to see if you had a chance to review the answer posted by Sina Salam on your question.

We understand from your query that you are experiencing an issue while trying to create DCR rule to get exception of Java and Spring boot.

DCR metrics are collected automatically for all DCRs, and you can analyze them using metrics explorer like the platform metrics for other Azure resources. Input stream is included as a dimension so if you have a DCR with multiple input streams, you can analyze each by filtering or splitting.

| where type in~ ('microsoft.insights/scheduledqueryrules') and ['kind'] !in~ ('LogToMetric')
| extend severity = strcat("Sev", properties["severity"])
| extend enabled = tobool(properties["enabled"])
| where enabled in~ ('true')
| where tolower(properties["targetResourceTypes"]) matches regex 'microsoft.operationalinsights/workspaces($|/.*)?' or tolower(properties["targetResourceType"]) matches regex 'microsoft.operationalinsights/workspaces($|/.*)?' or tolower(properties["scopes"]) matches regex 'providers/microsoft.operationalinsights/workspaces($|/.*)?'
| where properties contains "Perf" or properties  contains "InsightsMetrics" or properties  contains "ContainerInventory" or properties  contains "ContainerNodeInventory" or properties  contains "KubeNodeInventory" or properties  contains"KubePodInventory" or properties  contains "KubePVInventory" or properties  contains "KubeServices" or properties  contains "KubeEvents" 
| project id,name,type,properties,enabled,severity,subscriptionId
| order by tolower(name) asc

Retrieve all error logs for a particular DCR

DCRLogErrors
| where _ResourceId == "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/my-resource-group/providers/microsoft.insights/datacollectionrules/my-dcr"

Please follow the below document for your reference:

https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-data-collection-filter

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-create-edit?tabs=cli

If you found it helpful, could you kindly click the “Accept and upvote” on the post.

If you have any further queries, please let us know we are glad to help you.

1 answer

Sina Salam 18,861

Hello Masdieu, Melvin,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your Data Collection Rule (DCR) is not filtering out specific log messages from ContainerLogV2 as expected.

Logs are not filtered because transformKql applies after ingestion and the correct approach is to apply filtering at the dataSources level.

To resolve this, and to ensures logs containing Spring Boot or _JAVA_OPTIONS are never collected you can do the followings:

Verify the correct log stream name. If the logs originate from ContainerInsights, confirm that the stream in the DCR should be Microsoft-ContainerLogV2 instead of Microsoft-Table-ContainerLogV2. - https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-log-query something like this:
```
  ContainerLogV2
  | summarize count() by SourceSystem
```
Test the filter in Log Analytics before modifying the DCR.
```
  ContainerLogV2
  | where tostring(LogMessage) !contains "Picked up _JAVA_OPTIONS"
  | where tostring(LogMessage) !contains "Spring Boot"
```
If logs still appear, check if LogMessage is a string field. If not, cast it explicitly:
```
  | extend LogMessage = tostring(LogMessage)
```
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/)

Move filtering logic to dataSources in the DCR. Instead of using transformKql inside dataFlows, apply log filtering at the dataSources level using streamDeclarations. Update your DCR to:

  "dataSources": {
      "extensions": [
          {
              "name": "container-logs",
              "streams": ["Microsoft-ContainerLogV2"],
              "extensionName": "ContainerInsights",
              "extensionParameters": {
                  "filtering": {
                      "filter": "tostring(LogMessage) !contains \"Picked up _JAVA_OPTIONS\" and tostring(LogMessage) !contains \"Spring Boot\""
                  }
              }
          }
      ]
  }

Redeploy and verify log ingestion. - https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-azure-cli

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Masdieu, Melvin 20

Hello @Sina Salam

I've done some tests and modifications, thank you for the clarification about the transormation.

I have updated the configuration as follows :

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "dataCollectionRules_snowsat_dcr_integration_name": {
            "defaultValue": "dcr-integration",
            "type": "String"
        },
        "workspaces_snowsat_log_integration_externalid": {
            "defaultValue": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxx-rg-integration/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxx-log-integration",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Insights/dataCollectionRules",
            "apiVersion": "2023-03-11",
            "name": "[parameters('dataCollectionRules_snowsat_dcr_integration_name')]",
            "location": "francecentral",
            "kind": "Linux",
            "properties": {
                "dataSources": {
                    "extensions": [
                        {
                            "streams": [
                                "Microsoft-ContainerLogV2"
                            ],
                            "extensionName": "ContainerInsights",
                            "extensionSettings": {
                                "filtering": {
                                    "filter": "tostring(LogMessage) !contains \"Picked up _JAVA_OPTIONS\" and tostring(LogMessage) !contains \"Spring Boot\""
                                }
                            },
                            "inputDataSources": [],
                            "name": "container-logs"
                        }
                    ]
                },
                "destinations": {
                    "logAnalytics": [
                        {
                            "workspaceResourceId": "[parameters('workspaces_snowsat_log_integration_externalid')]",
                            "name": "la-workspace"
                        }
                    ]
                },
                "dataFlows": [
                    {
                        "streams": [
                            "Microsoft-ContainerLogV2"
                        ],
                        "destinations": [
               				"la-workspace"
                        ]
                    }
                ]
            }
        }
    ]
}

Unfortunately, this does not resolve the issue, and I am still seeing logs in containerlogv2.

However, I noticed that another DCR has been automatically created with the following configuration :

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "dataCollectionRules_MSCI_francecentral_snowsat_k8s_integration_name": {
            "defaultValue": "xxxxxxxx-francecentral-xxxxxxxx-integration",
            "type": "String"
        },
        "workspaces_snowsat_log_integration_externalid": {
            "defaultValue": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxx-rg-integration/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxx-log-integration",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Insights/dataCollectionRules",
            "apiVersion": "2023-03-11",
            "name": "[parameters('dataCollectionRules_MSCI_francecentral_snowsat_k8s_integration_name')]",
            "location": "francecentral",
            "kind": "Linux",
            "properties": {
                "dataSources": {
                    "syslog": [],
                    "extensions": [
                        {
                            "streams": [
                                "Microsoft-ContainerInsights-Group-Default"
                            ],
                            "extensionName": "ContainerInsights",
                            "extensionSettings": {
                                "dataCollectionSettings": {
                                    "interval": "5m",
                                    "namespaceFilteringMode": "Exclude",
                                    "namespaces": [
                                        "kube-system",
                                        "gatekeeper-system",
                                        "keda",
                                        "calico-system",
                                        "tigera-operator"
                                    ],
                                    "enableContainerLogV2": true
                                }
                            },
                            "name": "ContainerInsightsExtension"
                        }
                    ]
                },
                "destinations": {
                    "logAnalytics": [
                        {
                            "workspaceResourceId": "[parameters('workspaces_snowsat_log_integration_externalid')]",
                            "name": "la-workspace"
                        }
                    ]
                },
                "dataFlows": [
                    {
                        "streams": [
                            "Microsoft-ContainerInsights-Group-Default"
                        ],
                        "destinations": [
                            "la-workspace"
                        ]
                    }
                ]
            }
        }
    ]
}

Could there be a conflict between these two configurations? or am I missing something in the first configuration?

Thank you for your help !
Melvin

Sina Salam 18,861 Reputation points

2025-02-26T16:30:04.3333333+00:00
Hello Masdieu, Melvin,

Thanks for your feedback.

There is misconfiguration in extension parameters. The filter was placed under extensionSettings instead of extensionParameters see Microsoft Docs - https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-data-collection-filter#configure-log-filtering

Also, the second, automatically generated DCR (using Microsoft-ContainerInsights-Group-Default) is likely collecting unfiltered logs, overriding your custom DCR.

STEPS:

Modify the dataSources section to use extensionParameters (not extensionSettings):
"dataSources": { "extensions": [ { "streams": ["Microsoft-ContainerLogV2"], "extensionName": "ContainerInsights", "extensionParameters": { // Correct parameter name "filtering": { "filter": "tostring(LogMessage) !contains 'Picked up _JAVA_OPTIONS' and tostring(LogMessage) !contains 'Spring Boot'" } }, "name": "container-logs" } ] }

If the automatic DCR (Microsoft-ContainerInsights-Group-Default) is managed by Azure Monitor for Containers, disable it by:

Navigate to your AKS cluster > Insights > Configure.

Toggle off "Enable Azure Monitor for Containers."

Or follow instruction in the link on how to Disable Container Insights - https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-optout Or you can even modify the Automatic DCR by adding the same filter to the automatic DCR’s configuration.

If logs stop, gradually refine the filter. If not, check DCR priority or AMA version.

Success

Masdieu, Melvin 20

Hello @Sina Salam

Thank you for the details, I tried almost everything, but it's not working...

I created the DCR with terraform, and it create the resource with extensionSettings

 data_sources {
    extension {
      extension_name = "ContainerInsights"
      name           = "container-logs"
      streams        = ["Microsoft-ContainerLogV2"]
      extension_json = jsonencode({
        filtering = {
          filter = "tostring(LogMessage) !contains \"Picked up _JAVA_OPTIONS\" and tostring(LogMessage) !contains \"Spring Boot\""
        }
      })
    }
  }

About container insights, we use it a lot, I'm not sure about disabled it. We will lose all of the analysis it provides.
And when I tried to overwrite the automatic DCR with the filter, it allow me everything but doesn't take the filter in his configuration. The configuration returned by azure cli is that :
There is everything but not the extensionParameters

Data source sent :

"dataSources": {
    "extensions": [
      {
        "extensionName": "ContainerInsights",
        "extensionParameters": {  
          "filtering": {
            "filter": "tostring(LogMessage) !contains 'Picked up _JAVA_OPTIONS' and tostring(LogMessage) !contains 'Spring Boot'"
          }
        },
        "extensionSettings": {
          "dataCollectionSettings": {
            "enableContainerLogV2": true,
            "interval": "5m",
            "namespaceFilteringMode": "Exclude",
            "namespaces": [
              "kube-system",
              "gatekeeper-system",
              "keda",
              "calico-system",
              "tigera-operator"
            ]
          }
        },
        "name": "ContainerInsightsExtension",
        "streams": [
          "Microsoft-ContainerInsights-Group-Default",
          "Microsoft-ContainerLogV2"
        ]
      }
    ],
    "syslog": []
  }

Data source got from azure cli when command has been validated

{
  "dataSources": {
    "extensions": [
      {
        "extensionName": "ContainerInsights",
        "extensionSettings": {
          "dataCollectionSettings": {
            "enableContainerLogV2": true,
            "interval": "5m",
            "namespaceFilteringMode": "Exclude",
            "namespaces": [
              "kube-system",
              "gatekeeper-system",
              "keda",
              "calico-system",
              "tigera-operator"
            ]
          }
        },
        "name": "ContainerInsightsExtension",
        "streams": [
          "Microsoft-ContainerInsights-Group-Default",
          "Microsoft-ContainerLogV2"
        ]
      }
    ],
    "syslog": []
  }
}

Thank you for your help.
Hope we will find a solution

Melvin

Sina Salam 18,861 Reputation points

2025-02-28T14:26:24.2966667+00:00
Hello Masdieu, Melvin,

Thanks always for detailed feedback.

There is something you're not just doing right. This reply is to clear the air and know what is right to get your goals.

Follow these guides:

My first response correctly identified the mistake of applying transformKql after ingestion.

My second response correctly pointed ou the misplacement of filtering rules under extensionSettings instead of extensionParameters.

However, if you do not understand steps to identify and disable conflicting DCRs, which is the root cause of unfiltered logs.

Follow the steps outlined below to ensure logs are correctly filtered before ingestion, also use each reference links for more details and more reading:

Verify and Disable Automatically Created DCRs (If Needed)
# Check if the auto-generated DCR is active: az monitor data-collection rule list --resource-group <resource-group-name> # The command above lists all data collection rules (DCRs) in the specified # resource group. Look for the `Microsoft-ContainerInsights-Group-Default` # DCR in the output. # If `Microsoft-ContainerInsights-Group-Default` is active and unfiltered, # disable the default AKS monitoring: az aks disable-addons --addons monitoring --name <aks-cluster-name> --resource-group <resource-group-name>
This command disables the monitoring add-on for the specified AKS cluster. Note the corrected flag --addons instead of -a for better clarity and consistency with Azure CLI documentation - https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-associations and https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview

Verify That Filtering Is in extensionParameters (Not extensionSettings) Correct JSON placement:
"dataSources": { "extensions": [ { "streams": ["Microsoft-ContainerLogV2"], "extensionName": "ContainerInsights", "extensionParameters": { "filtering": { "filter": "tostring(LogMessage) !contains \"Picked up _JAVA_OPTIONS\" and tostring(LogMessage) !contains \"Spring Boot\"" } }, "name": "container-logs" } ] }
How to configure Log Filtering in Container Insights. - https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-data-collection-filter configure-log-filtering

Ensure No Conflicting DCRs Are Overriding Filters
# List all active DCRs applied to the AKS cluster: az monitor data-collection rule list --resource-group <your-resource-group> --output table # If an automatically created DCR (`Microsoft-ContainerInsights-Group- Default`) # is collecting logs without filtering , it must be modified or disabled: az monitor data-collection rule delete --name <auto-generated-dcr-name> --resource-group <your-resource-group>
Alternatively, update its configuration to apply the same filtering rules . https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-azure-cli

Deploy and verify that Filtering works , after making changes, ensure the correct logs are filtered:
ContainerLogV2 | where tostring(LogMessage) contains "Picked up _JAVA_OPTIONS" or tostring(LogMessage) contains "Spring Boot"
If the query returns no results , filtering is working and if logs still appear, recheck if another DCR is collecting unfiltered data.

Ensure Filtering Is applied at the Right Level: You can modify the user’s custom DCR to use extensionParameters instead of extensionSettings:
"dataSources": { "extensions": [ { "name": "container-logs", "streams": ["Microsoft-ContainerLogV2"], "extensionName": "ContainerInsights", "extensionParameters": { "filtering": { "filter": "tostring(LogMessage) !contains \"Picked up _JAVA_OPTIONS\" and tostring(LogMessage) !contains \"Spring Boot\"" } } } ] }
https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-data-collection-filter configure-log-filtering

FINALY NOTE THE FOLLOWINGS:

If a conflicting DCR is active, logs may still be unfiltered even if the your custom DCR is correct.

Deleting Microsoft-ContainerInsights-Group-Default without applying a new DCR may break monitoring.

If extensionParameters is misplaced in JSON, filtering rules may not apply.

Disabling AKS Monitoring (az aks disable-addons) May Not Be Ideal:

If Microsoft-ContainerInsights-Group-Default is disabled, but no alternative DCR is applied, logs may stop being collected altogether.

Instead of disabling, consider modifying the default DCR to apply filtering.

Deleting Auto-Generated DCR (az monitor data-collection rule delete) is Risky

Deleting the default DCR might disrupt existing monitoring configurations.

Instead of deleting, modify the DCR to apply the correct filtering settings.

Incorrect Filtering Placement (If extensionParameters is Used in the Wrong Context)

Ensure extensionParameters is applied under the correct hierarchy in the DCR JSON.

Some versions of Container Insights may require updates to recognize this setting properly.

Filtering Validation (ContainerLogV2 Query May Not Show All Unfiltered Logs)

The validation query checks if filtered logs do not appear, but if another unfiltered DCR exists, logs may still be collected from another source.

Ensure all DCRs are inspected for overlapping log collection.

Goodluck

Share via

Issue with Log Filtering in ContainerLogV2 using Data Collection Rule

1 answer

Your answer