microsoft-logstash-output-azure-loganalytics 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +55 -8
- data/VERSION +1 -1
- data/lib/logstash/outputs/microsoft-logstash-output-azure-loganalytics.rb +3 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 178a030469859740207ce35bf63639665662d42302c5a10b3e3c9646a97f33ad
|
|
4
|
+
data.tar.gz: e90ee6beecc15fe88ff0f5da812bbd213c136b9b84a569ee704a397b4dbc150b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 10aca1c15e681831bd84f605daa869c581c500a7f32bce99f16bea23f006e0ebf0029725c6f99416a340e417cc62ed17a97aecdceae0e6c719d7febf1cf6fc2b
|
|
7
|
+
data.tar.gz: e60c8c43520ae0c49387ae21cb0ea7d5fea45dab2633f1e41bb7e0fcf5e9166ec766b92c344fd34e82029c03f28088fb6c9dbfd344e3db8ebb4a8ae8e5fafd41
|
data/README.md
CHANGED
|
@@ -2,9 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
Azure Sentinel provides a new output plugin for Logstash. Using this output plugin, you will be able to send any log you want using Logstash to the Azure Sentinel/Log Analytics workspace
|
|
4
4
|
Today you will be able to send messages to custom logs table that you will define in the output plugin.
|
|
5
|
-
Getting started with Logstash
|
|
5
|
+
[Getting started with Logstash](<https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html>)
|
|
6
6
|
|
|
7
|
-
Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables]
|
|
7
|
+
Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables](<https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs>)
|
|
8
8
|
|
|
9
9
|
Plugin version: v1.0.0
|
|
10
10
|
Released on: 2020-04-30
|
|
@@ -12,15 +12,15 @@ Released on: 2020-04-30
|
|
|
12
12
|
## Installation
|
|
13
13
|
|
|
14
14
|
Azure Sentinel provides Logstash output plugin to Log analytics workspace.
|
|
15
|
-
Install the microsoft-logstash-output-azure-loganalytics, use Logstash Working with plugins document.
|
|
16
|
-
For offline setup follow Logstash Offline Plugin Management instruction.
|
|
15
|
+
Install the microsoft-logstash-output-azure-loganalytics, use [Logstash Working with plugins](<https://www.elastic.co/guide/en/logstash/current/working-with-plugins.html>) document.
|
|
16
|
+
For offline setup follow [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).
|
|
17
17
|
|
|
18
18
|
## Configuration
|
|
19
19
|
|
|
20
20
|
in your Logstash configuration file, add the Azure Sentinel output plugin to the configuration with following values:
|
|
21
21
|
- workspace_id – your workspace ID guid
|
|
22
|
-
- workspace_key – your workspace primary key guid
|
|
23
|
-
- custom_log_table_name – table name, in which the logs will be ingested, limited to one table, the log table will be presented in the logs blade under the custom logs label, with a _CL suffix.
|
|
22
|
+
- workspace_key (primary key) – your workspace primary key guid. You can find your workspace key and id the following path: Home > Log Analytics workspace > Advanced settings
|
|
23
|
+
- custom_log_table_name – table name, in which the logs will be ingested, limited to one table, the log table will be presented in the logs blade under the custom logs label, with a _CL suffix. Table name must be only alpha characters.
|
|
24
24
|
- endpoint – Optional field by default set as log analytics endpoint.
|
|
25
25
|
- time_generated_field – Optional field, this property is used to override the default TimeGenerated field in Log Analytics. Populate this property with the name of the sent data time field.
|
|
26
26
|
- key_names – list of Log analytics output schema fields.
|
|
@@ -34,7 +34,48 @@ Note: View the GitHub to learn more about the sent message’s configuration, pe
|
|
|
34
34
|
Here is an example configuration who parse Syslog incoming data into a custom table named "logstashCustomTableName".
|
|
35
35
|
|
|
36
36
|
### Example Configuration
|
|
37
|
-
|
|
37
|
+
|
|
38
|
+
<u>Basic configuration</u>
|
|
39
|
+
|
|
40
|
+
- Using filebeat input pipe
|
|
41
|
+
|
|
42
|
+
```
|
|
43
|
+
input {
|
|
44
|
+
beats {
|
|
45
|
+
port => "5044"
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
filter {
|
|
49
|
+
}
|
|
50
|
+
output {
|
|
51
|
+
logstash-output-azure {
|
|
52
|
+
workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
|
|
53
|
+
workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
|
|
54
|
+
custom_log_table_name => "tableName"
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
```
|
|
58
|
+
- Or using the tcp imput pipe
|
|
59
|
+
|
|
60
|
+
```
|
|
61
|
+
input {
|
|
62
|
+
tcp {
|
|
63
|
+
port => "514"
|
|
64
|
+
type => syslog #optional, will effect log type in table
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
filter {
|
|
68
|
+
}
|
|
69
|
+
output {
|
|
70
|
+
logstash-output-azure {
|
|
71
|
+
workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
|
|
72
|
+
workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
|
|
73
|
+
custom_log_table_name => "tableName"
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
<u>Advencaed Configuration</u>
|
|
38
79
|
```
|
|
39
80
|
input {
|
|
40
81
|
tcp {
|
|
@@ -66,4 +107,10 @@ For example:
|
|
|
66
107
|
```
|
|
67
108
|
logger -p local4.warn -t CEF: "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example" -P 514 -d -n 127.0.0.1
|
|
68
109
|
|
|
69
|
-
```
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
Alternativly you can use netcat to test your configuration:
|
|
113
|
+
|
|
114
|
+
```
|
|
115
|
+
echo "test string" | netcat localhost 514
|
|
116
|
+
```
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.
|
|
1
|
+
0.2.0
|
|
@@ -102,6 +102,9 @@ class LogStash::Outputs::AzureLogAnalytics < LogStash::Outputs::Base
|
|
|
102
102
|
keys_intersection.each do |key|
|
|
103
103
|
document[key] = event_hash[key]
|
|
104
104
|
end
|
|
105
|
+
if document.keys.length < 1
|
|
106
|
+
@logger.warn("No keys found, message is dropped. Plugin keys: #{@key_names}, Event keys: #{event_hash}. The event message do not match event expected structre. Please edit key_names section in output plugin and try again.")
|
|
107
|
+
end
|
|
105
108
|
else
|
|
106
109
|
document = event_hash
|
|
107
110
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: microsoft-logstash-output-azure-loganalytics
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ron Marsiano
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-06-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|