microsoft-logstash-output-azure-loganalytics 0.1.0 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/LICENSE +21 -0
- data/README.md +59 -9
- data/VERSION +1 -1
- data/lib/logstash/logAnalyticsClient/logStashAutoResizeBuffer.rb +5 -5
- data/lib/logstash/logAnalyticsClient/logstashLoganalyticsConfiguration.rb +5 -2
- data/lib/logstash/outputs/microsoft-logstash-output-azure-loganalytics.rb +5 -1
- data/microsoft-logstash-output-azure-loganalytics.gemspec +2 -3
- metadata +5 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d544e890ad76c1a72e3f4ddf36467c9b3bb21d9dfa48fad8abc41f901ef19ce6
|
4
|
+
data.tar.gz: e4209caf755ef5fe6f94457cd1345463ca006fd5ac73ac231f0cb21b602fd777
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b3e020ee1fde56eaf5f88a1323f1d978f18f4b6f2b60d7371acee1ace40b02a33529e9ae0df166f16f7558a4da13559be09b56352f7b0bde67b46db224d06106
|
7
|
+
data.tar.gz: ddb127a68f7bd0cd4a6058666b3ed5bdee5a4ce88ca60e337ab72282a012698d99cbfc83af88fe2b8425c4bed423b34f183d8af15a937c1d611611d4293f8570
|
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
MIT License
|
2
|
+
|
3
|
+
Copyright (c) Microsoft Corporation. All rights reserved.
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
13
|
+
copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
21
|
+
SOFTWARE
|
data/README.md
CHANGED
@@ -2,25 +2,28 @@
|
|
2
2
|
|
3
3
|
Azure Sentinel provides a new output plugin for Logstash. Using this output plugin, you will be able to send any log you want using Logstash to the Azure Sentinel/Log Analytics workspace
|
4
4
|
Today you will be able to send messages to custom logs table that you will define in the output plugin.
|
5
|
-
Getting started with Logstash
|
5
|
+
[Getting started with Logstash](<https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html>)
|
6
6
|
|
7
|
-
Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables]
|
7
|
+
Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables](<https://docs.microsoft.com/azure/azure-monitor/platform/data-sources-custom-logs>)
|
8
8
|
|
9
|
-
Plugin version:
|
10
|
-
Released on: 2020-
|
9
|
+
Plugin version: v0.3.0
|
10
|
+
Released on: 2020-06-23
|
11
|
+
|
12
|
+
This plugin is currently in development and is free to use. We welcome contributions from the open source community on this project, and we request and appreciate feedback from users.
|
11
13
|
|
12
14
|
## Installation
|
13
15
|
|
14
16
|
Azure Sentinel provides Logstash output plugin to Log analytics workspace.
|
15
|
-
Install the microsoft-logstash-output-azure-loganalytics, use Logstash Working with plugins document.
|
16
|
-
For offline setup follow Logstash Offline Plugin Management instruction.
|
17
|
+
Install the microsoft-logstash-output-azure-loganalytics, use [Logstash Working with plugins](<https://www.elastic.co/guide/en/logstash/current/working-with-plugins.html>) document.
|
18
|
+
For offline setup follow [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).
|
17
19
|
|
18
20
|
## Configuration
|
19
21
|
|
20
22
|
in your Logstash configuration file, add the Azure Sentinel output plugin to the configuration with following values:
|
21
23
|
- workspace_id – your workspace ID guid
|
22
|
-
- workspace_key – your workspace primary key guid
|
24
|
+
- workspace_key (primary key) – your workspace primary key guid. You can find your workspace key and id the following path: Home > Log Analytics workspace > Advanced settings
|
23
25
|
- custom_log_table_name – table name, in which the logs will be ingested, limited to one table, the log table will be presented in the logs blade under the custom logs label, with a _CL suffix.
|
26
|
+
Table name must be only alpha characters, and shoud not exceed 100 characters.
|
24
27
|
- endpoint – Optional field by default set as log analytics endpoint.
|
25
28
|
- time_generated_field – Optional field, this property is used to override the default TimeGenerated field in Log Analytics. Populate this property with the name of the sent data time field.
|
26
29
|
- key_names – list of Log analytics output schema fields.
|
@@ -34,7 +37,48 @@ Note: View the GitHub to learn more about the sent message’s configuration, pe
|
|
34
37
|
Here is an example configuration who parse Syslog incoming data into a custom table named "logstashCustomTableName".
|
35
38
|
|
36
39
|
### Example Configuration
|
37
|
-
|
40
|
+
|
41
|
+
<u>Basic configuration</u>
|
42
|
+
|
43
|
+
- Using filebeat input pipe
|
44
|
+
|
45
|
+
```
|
46
|
+
input {
|
47
|
+
beats {
|
48
|
+
port => "5044"
|
49
|
+
}
|
50
|
+
}
|
51
|
+
filter {
|
52
|
+
}
|
53
|
+
output {
|
54
|
+
logstash-output-azure {
|
55
|
+
workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
|
56
|
+
workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
|
57
|
+
custom_log_table_name => "tableName"
|
58
|
+
}
|
59
|
+
}
|
60
|
+
```
|
61
|
+
- Or using the tcp input pipe
|
62
|
+
|
63
|
+
```
|
64
|
+
input {
|
65
|
+
tcp {
|
66
|
+
port => "514"
|
67
|
+
type => syslog #optional, will effect log type in table
|
68
|
+
}
|
69
|
+
}
|
70
|
+
filter {
|
71
|
+
}
|
72
|
+
output {
|
73
|
+
logstash-output-azure {
|
74
|
+
workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
|
75
|
+
workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
|
76
|
+
custom_log_table_name => "tableName"
|
77
|
+
}
|
78
|
+
}
|
79
|
+
```
|
80
|
+
|
81
|
+
<u>Advencaed Configuration</u>
|
38
82
|
```
|
39
83
|
input {
|
40
84
|
tcp {
|
@@ -66,4 +110,10 @@ For example:
|
|
66
110
|
```
|
67
111
|
logger -p local4.warn -t CEF: "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example" -P 514 -d -n 127.0.0.1
|
68
112
|
|
69
|
-
```
|
113
|
+
```
|
114
|
+
|
115
|
+
Alternativly you can use netcat to test your configuration:
|
116
|
+
|
117
|
+
```
|
118
|
+
echo "test string" | netcat localhost 514
|
119
|
+
```
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
1.0.0
|
@@ -72,19 +72,19 @@ class LogStashAutoResizeBuffer
|
|
72
72
|
# We would like to do it until we reached to the duration
|
73
73
|
def resend_message(documents_json, amount_of_documents, remaining_duration)
|
74
74
|
if remaining_duration > 0
|
75
|
-
@logger.info("Resending #{amount_of_documents} documents as log type #{@logstashLoganalyticsConfiguration.custom_log_table_name} to DataCollector API in #{@logstashLoganalyticsConfiguration.
|
75
|
+
@logger.info("Resending #{amount_of_documents} documents as log type #{@logstashLoganalyticsConfiguration.custom_log_table_name} to DataCollector API in #{@logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY} seconds.")
|
76
76
|
sleep @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY
|
77
77
|
begin
|
78
78
|
response = @client.post_data(documents_json)
|
79
79
|
if is_successfully_posted(response)
|
80
80
|
@logger.info("Successfully sent #{amount_of_documents} logs into custom log analytics table[#{@logstashLoganalyticsConfiguration.custom_log_table_name}] after resending.")
|
81
81
|
else
|
82
|
-
@logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.
|
83
|
-
resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.
|
82
|
+
@logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY)}")
|
83
|
+
resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY))
|
84
84
|
end
|
85
85
|
rescue Exception => ex
|
86
|
-
@logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.
|
87
|
-
resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.
|
86
|
+
@logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY)}")
|
87
|
+
resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY))
|
88
88
|
end
|
89
89
|
else
|
90
90
|
@logger.error("Could not resend #{amount_of_documents} documents, message is dropped.")
|
@@ -28,8 +28,11 @@ class LogstashLoganalyticsOutputConfiguration
|
|
28
28
|
elsif @workspace_id.empty? or @workspace_key.empty? or @custom_log_table_name.empty?
|
29
29
|
raise ArgumentError, "Malformed configuration , the following arguments can not be null or empty.[workspace_id=#{@workspace_id} , workspace_key=#{@workspace_key} , custom_log_table_name=#{@custom_log_table_name}]"
|
30
30
|
|
31
|
-
elsif not @custom_log_table_name.match(/^[[:alpha:]]+$/)
|
32
|
-
raise ArgumentError, 'custom_log_table_name must be only alpha characters.'
|
31
|
+
elsif not @custom_log_table_name.match(/^[[:alpha:][:digit:]_]+$/)
|
32
|
+
raise ArgumentError, 'custom_log_table_name must be only alpha characters, numbers and underscore.'
|
33
|
+
|
34
|
+
elsif @custom_log_table_name.length > 100
|
35
|
+
raise ArgumentError, 'custom_log_table_name must not exceed 100 characters.'
|
33
36
|
|
34
37
|
elsif custom_log_table_name.empty?
|
35
38
|
raise ArgumentError, 'custom_log_table_name should not be empty.'
|
@@ -19,7 +19,8 @@ class LogStash::Outputs::AzureLogAnalytics < LogStash::Outputs::Base
|
|
19
19
|
config :workspace_key, :validate => :string, :required => true
|
20
20
|
|
21
21
|
# The name of the event type that is being submitted to Log Analytics.
|
22
|
-
# This must be only alpha characters.
|
22
|
+
# This must be only alpha characters, numbers and underscore.
|
23
|
+
# This must not exceed 100 characters.
|
23
24
|
# Table name under custom logs in which the data will be inserted
|
24
25
|
config :custom_log_table_name, :validate => :string, :required => true
|
25
26
|
|
@@ -102,6 +103,9 @@ class LogStash::Outputs::AzureLogAnalytics < LogStash::Outputs::Base
|
|
102
103
|
keys_intersection.each do |key|
|
103
104
|
document[key] = event_hash[key]
|
104
105
|
end
|
106
|
+
if document.keys.length < 1
|
107
|
+
@logger.warn("No keys found, message is dropped. Plugin keys: #{@key_names}, Event keys: #{event_hash}. The event message do not match event expected structre. Please edit key_names section in output plugin and try again.")
|
108
|
+
end
|
105
109
|
else
|
106
110
|
document = event_hash
|
107
111
|
end
|
@@ -1,12 +1,12 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = 'microsoft-logstash-output-azure-loganalytics'
|
3
3
|
s.version = File.read("VERSION").strip
|
4
|
-
s.authors = ["Ron Marsiano"]
|
4
|
+
s.authors = ["Ron Marsiano", "Haim Rubinstein"]
|
5
5
|
s.email = "romarsia@outlook.com"
|
6
6
|
s.summary = %q{Azure Sentinel provides a new output plugin for Logstash. Using this output plugin, you will be able to send any log you want using Logstash to the Azure Sentinel/Log Analytics workspace}
|
7
7
|
s.description = s.summary
|
8
8
|
s.homepage = "https://github.com/Azure/Azure-Sentinel"
|
9
|
-
s.licenses = ["
|
9
|
+
s.licenses = ["MIT"]
|
10
10
|
s.require_paths = ["lib"]
|
11
11
|
|
12
12
|
# Files
|
@@ -19,7 +19,6 @@ Gem::Specification.new do |s|
|
|
19
19
|
|
20
20
|
# Gem dependencies
|
21
21
|
s.add_runtime_dependency "rest-client", ">= 1.8.0"
|
22
|
-
s.add_runtime_dependency "azure-loganalytics-datacollector-api", ">= 0.1.5"
|
23
22
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
24
23
|
s.add_runtime_dependency "logstash-codec-plain"
|
25
24
|
s.add_development_dependency "logstash-devutils"
|
metadata
CHANGED
@@ -1,14 +1,15 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: microsoft-logstash-output-azure-loganalytics
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ron Marsiano
|
8
|
+
- Haim Rubinstein
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date: 2020-
|
12
|
+
date: 2020-08-26 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
requirement: !ruby/object:Gem::Requirement
|
@@ -24,20 +25,6 @@ dependencies:
|
|
24
25
|
- - ">="
|
25
26
|
- !ruby/object:Gem::Version
|
26
27
|
version: 1.8.0
|
27
|
-
- !ruby/object:Gem::Dependency
|
28
|
-
requirement: !ruby/object:Gem::Requirement
|
29
|
-
requirements:
|
30
|
-
- - ">="
|
31
|
-
- !ruby/object:Gem::Version
|
32
|
-
version: 0.1.5
|
33
|
-
name: azure-loganalytics-datacollector-api
|
34
|
-
prerelease: false
|
35
|
-
type: :runtime
|
36
|
-
version_requirements: !ruby/object:Gem::Requirement
|
37
|
-
requirements:
|
38
|
-
- - ">="
|
39
|
-
- !ruby/object:Gem::Version
|
40
|
-
version: 0.1.5
|
41
28
|
- !ruby/object:Gem::Dependency
|
42
29
|
requirement: !ruby/object:Gem::Requirement
|
43
30
|
requirements:
|
@@ -96,6 +83,7 @@ extra_rdoc_files: []
|
|
96
83
|
files:
|
97
84
|
- CHANGELOG.md
|
98
85
|
- Gemfile
|
86
|
+
- LICENSE
|
99
87
|
- README.md
|
100
88
|
- VERSION
|
101
89
|
- lib/logstash/logAnalyticsClient/logAnalyticsClient.rb
|
@@ -106,7 +94,7 @@ files:
|
|
106
94
|
- spec/outputs/azure_loganalytics_spec.rb
|
107
95
|
homepage: https://github.com/Azure/Azure-Sentinel
|
108
96
|
licenses:
|
109
|
-
-
|
97
|
+
- MIT
|
110
98
|
metadata:
|
111
99
|
logstash_plugin: 'true'
|
112
100
|
logstash_group: output
|