microsoft-logstash-output-azure-loganalytics 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +55 -8
- data/VERSION +1 -1
- data/lib/logstash/outputs/microsoft-logstash-output-azure-loganalytics.rb +3 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 178a030469859740207ce35bf63639665662d42302c5a10b3e3c9646a97f33ad
|
|
4
|
+
data.tar.gz: e90ee6beecc15fe88ff0f5da812bbd213c136b9b84a569ee704a397b4dbc150b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 10aca1c15e681831bd84f605daa869c581c500a7f32bce99f16bea23f006e0ebf0029725c6f99416a340e417cc62ed17a97aecdceae0e6c719d7febf1cf6fc2b
|
|
7
|
+
data.tar.gz: e60c8c43520ae0c49387ae21cb0ea7d5fea45dab2633f1e41bb7e0fcf5e9166ec766b92c344fd34e82029c03f28088fb6c9dbfd344e3db8ebb4a8ae8e5fafd41
|
data/README.md
CHANGED
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
Azure Sentinel provides a new output plugin for Logstash. Using this output plugin, you will be able to send any log you want using Logstash to the Azure Sentinel/Log Analytics workspace
|
|
4
4
|
Today you will be able to send messages to custom logs table that you will define in the output plugin.
|
|
5
|
-
Getting started with Logstash
|
|
5
|
+
[Getting started with Logstash](<https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html>)
|
|
6
6
|
|
|
7
|
-
Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables]
|
|
7
|
+
Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables](<https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs>)
|
|
8
8
|
|
|
9
9
|
Plugin version: v1.0.0
|
|
10
10
|
Released on: 2020-04-30
|
|
@@ -12,15 +12,15 @@ Released on: 2020-04-30
|
|
|
12
12
|
## Installation
|
|
13
13
|
|
|
14
14
|
Azure Sentinel provides Logstash output plugin to Log analytics workspace.
|
|
15
|
-
Install the microsoft-logstash-output-azure-loganalytics, use Logstash Working with plugins document.
|
|
16
|
-
For offline setup follow Logstash Offline Plugin Management instruction.
|
|
15
|
+
Install the microsoft-logstash-output-azure-loganalytics, use [Logstash Working with plugins](<https://www.elastic.co/guide/en/logstash/current/working-with-plugins.html>) document.
|
|
16
|
+
For offline setup follow [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).
|
|
17
17
|
|
|
18
18
|
## Configuration
|
|
19
19
|
|
|
20
20
|
in your Logstash configuration file, add the Azure Sentinel output plugin to the configuration with following values:
|
|
21
21
|
- workspace_id – your workspace ID guid
|
|
22
|
-
- workspace_key – your workspace primary key guid
|
|
23
|
-
- custom_log_table_name – table name, in which the logs will be ingested, limited to one table, the log table will be presented in the logs blade under the custom logs label, with a _CL suffix.
|
|
22
|
+
- workspace_key (primary key) – your workspace primary key guid. You can find your workspace key and id the following path: Home > Log Analytics workspace > Advanced settings
|
|
23
|
+
- custom_log_table_name – table name, in which the logs will be ingested, limited to one table, the log table will be presented in the logs blade under the custom logs label, with a _CL suffix. Table name must be only alpha characters.
|
|
24
24
|
- endpoint – Optional field by default set as log analytics endpoint.
|
|
25
25
|
- time_generated_field – Optional field, this property is used to override the default TimeGenerated field in Log Analytics. Populate this property with the name of the sent data time field.
|
|
26
26
|
- key_names – list of Log analytics output schema fields.
|
|
@@ -34,7 +34,48 @@ Note: View the GitHub to learn more about the sent message’s configuration, pe
|
|
|
34
34
|
Here is an example configuration who parse Syslog incoming data into a custom table named "logstashCustomTableName".
|
|
35
35
|
|
|
36
36
|
### Example Configuration
|
|
37
|
-
|
|
37
|
+
|
|
38
|
+
<u>Basic configuration</u>
|
|
39
|
+
|
|
40
|
+
- Using filebeat input pipe
|
|
41
|
+
|
|
42
|
+
```
|
|
43
|
+
input {
|
|
44
|
+
beats {
|
|
45
|
+
port => "5044"
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
filter {
|
|
49
|
+
}
|
|
50
|
+
output {
|
|
51
|
+
logstash-output-azure {
|
|
52
|
+
workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
|
|
53
|
+
workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
|
|
54
|
+
custom_log_table_name => "tableName"
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
```
|
|
58
|
+
- Or using the tcp imput pipe
|
|
59
|
+
|
|
60
|
+
```
|
|
61
|
+
input {
|
|
62
|
+
tcp {
|
|
63
|
+
port => "514"
|
|
64
|
+
type => syslog #optional, will effect log type in table
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
filter {
|
|
68
|
+
}
|
|
69
|
+
output {
|
|
70
|
+
logstash-output-azure {
|
|
71
|
+
workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
|
|
72
|
+
workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
|
|
73
|
+
custom_log_table_name => "tableName"
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
<u>Advencaed Configuration</u>
|
|
38
79
|
```
|
|
39
80
|
input {
|
|
40
81
|
tcp {
|
|
@@ -66,4 +107,10 @@ For example:
|
|
|
66
107
|
```
|
|
67
108
|
logger -p local4.warn -t CEF: "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example" -P 514 -d -n 127.0.0.1
|
|
68
109
|
|
|
69
|
-
```
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
Alternativly you can use netcat to test your configuration:
|
|
113
|
+
|
|
114
|
+
```
|
|
115
|
+
echo "test string" | netcat localhost 514
|
|
116
|
+
```
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.
|
|
1
|
+
0.2.0
|
|
@@ -102,6 +102,9 @@ class LogStash::Outputs::AzureLogAnalytics < LogStash::Outputs::Base
|
|
|
102
102
|
keys_intersection.each do |key|
|
|
103
103
|
document[key] = event_hash[key]
|
|
104
104
|
end
|
|
105
|
+
if document.keys.length < 1
|
|
106
|
+
@logger.warn("No keys found, message is dropped. Plugin keys: #{@key_names}, Event keys: #{event_hash}. The event message do not match event expected structre. Please edit key_names section in output plugin and try again.")
|
|
107
|
+
end
|
|
105
108
|
else
|
|
106
109
|
document = event_hash
|
|
107
110
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: microsoft-logstash-output-azure-loganalytics
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ron Marsiano
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-06-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|