microsoft-logstash-output-azure-loganalytics 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce0904868fbfab9bfbc3386a101957a436f9d8c1fde87450ffd2a3a0d9c78574
-  data.tar.gz: 1a69ab08f7bd6a3ea6ee639dfddd5c69333ef53a4dcfd6a08fccd65eb4bd26e5
+  metadata.gz: d544e890ad76c1a72e3f4ddf36467c9b3bb21d9dfa48fad8abc41f901ef19ce6
+  data.tar.gz: e4209caf755ef5fe6f94457cd1345463ca006fd5ac73ac231f0cb21b602fd777
 SHA512:
-  metadata.gz: 262dd9c81132c1ad32bd5ccab843722ee42cc3d8ebc5cf417d99540c13c49f42f5eee2f987d29e31d03a471feda3a5dee4318f302ebace577333144f1744dd6b
-  data.tar.gz: 20306ed12e1dfde8f1a63caeca7c7b585ed2b50ab8de437fb7d1c37c66fedb2fce6c8d3080e73f2e3c49b276f27f23d3df17c68dffd0a82ebfe4473ad2ea56be
+  metadata.gz: b3e020ee1fde56eaf5f88a1323f1d978f18f4b6f2b60d7371acee1ace40b02a33529e9ae0df166f16f7558a4da13559be09b56352f7b0bde67b46db224d06106
+  data.tar.gz: ddb127a68f7bd0cd4a6058666b3ed5bdee5a4ce88ca60e337ab72282a012698d99cbfc83af88fe2b8425c4bed423b34f183d8af15a937c1d611611d4293f8570

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE

data/README.md

@@ -2,25 +2,28 @@
 
 Azure Sentinel provides a new output plugin for Logstash. Using this output plugin, you will be able to send any log you want using Logstash to the Azure Sentinel/Log Analytics workspace
 Today you will be able to send messages to custom logs table that you will define in the output plugin. 
-Getting started with Logstash 
+[Getting started with Logstash](<https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html>) 
 
-Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables] 
+Azure Sentinel output plugin uses the rest API integration to Log Analytics, in order to ingest the logs into custom logs tables [What are custom logs tables](<https://docs.microsoft.com/azure/azure-monitor/platform/data-sources-custom-logs>)
 
-Plugin version: v1.0.0 
-Released on: 2020-04-30 
+Plugin version: v0.3.0 
+Released on: 2020-06-23 
+
+This plugin is currently in development and is free to use. We welcome contributions from the open source community on this project, and we request and appreciate feedback from users.
 
 ## Installation
 
 Azure Sentinel provides Logstash output plugin to Log analytics workspace. 
-Install the microsoft-logstash-output-azure-loganalytics, use Logstash Working with plugins document. 
-For offline setup follow Logstash Offline Plugin Management instruction. 
+Install the microsoft-logstash-output-azure-loganalytics, use [Logstash Working with plugins](<https://www.elastic.co/guide/en/logstash/current/working-with-plugins.html>) document. 
+For offline setup follow [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>). 
 
 ## Configuration
 
 in your Logstash configuration file, add the Azure Sentinel output plugin to the configuration with following values: 
 - workspace_id – your workspace ID guid 
-- workspace_key – your workspace primary key guid 
+- workspace_key (primary key) – your workspace primary key guid. You can find your workspace key and id the following path: Home > Log Analytics workspace > Advanced settings
 - custom_log_table_name – table name, in which the logs will be ingested, limited to one table, the log table will be presented in the logs blade under the custom logs label, with a _CL suffix. 
+	Table name must be only alpha characters, and shoud not exceed 100 characters.
 - endpoint – Optional field by default set as log analytics endpoint.  
 - time_generated_field – Optional field, this property is used to override the default TimeGenerated field in Log Analytics. Populate this property with the name of the sent data time field. 
 - key_names – list of Log analytics output schema fields. 
@@ -34,7 +37,48 @@ Note: View the GitHub to learn more about the sent message’s configuration, pe
 Here is an example configuration who parse Syslog incoming data into a custom table named "logstashCustomTableName".
 
 ### Example Configuration
-<u>Configuration</u>
+
+<u>Basic configuration</u>
+
+- Using filebeat input pipe
+
+```
+input {
+    beats {
+        port => "5044"
+    }
+}
+ filter {
+}
+output {
+    logstash-output-azure {
+      workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
+      workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
+      custom_log_table_name => "tableName"
+    }
+}
+```
+- Or using the tcp input pipe
+
+```
+input {
+    tcp {
+        port => "514"
+        type => syslog #optional, will effect log type in table
+    }
+}
+ filter {
+}
+output {
+    logstash-output-azure {
+      workspace_id => "4g5tad2b-a4u4-147v-a4r7-23148a5f2c21" # <your workspace id>
+      workspace_key => "u/saRtY0JGHJ4Ce93g5WQ3Lk50ZnZ8ugfd74nk78RPLPP/KgfnjU5478Ndh64sNfdrsMni975HJP6lp==" # <your workspace key>
+      custom_log_table_name => "tableName"
+    }
+}
+```
+
+<u>Advencaed Configuration</u>
 ```
 input {
   tcp {
@@ -66,4 +110,10 @@ For example:
 ```
 logger -p local4.warn -t CEF: "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example" -P 514 -d -n 127.0.0.1
 
-```
+```
+
+Alternativly you can use netcat to test your configuration:
+
+```
+echo "test string" | netcat localhost 514
+```

data/VERSION

@@ -1 +1 @@
-0.1.0
+1.0.0

data/lib/logstash/logAnalyticsClient/logStashAutoResizeBuffer.rb

@@ -72,19 +72,19 @@ class LogStashAutoResizeBuffer
     # We would like to do it until we reached to the duration 
     def resend_message(documents_json, amount_of_documents, remaining_duration)
         if remaining_duration > 0
-            @logger.info("Resending #{amount_of_documents} documents as log type #{@logstashLoganalyticsConfiguration.custom_log_table_name} to DataCollector API in #{@logstashLoganalyticsConfiguration.RETRANSMITION_DELAY} seconds.")
+            @logger.info("Resending #{amount_of_documents} documents as log type #{@logstashLoganalyticsConfiguration.custom_log_table_name} to DataCollector API in #{@logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY} seconds.")
             sleep @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY
             begin
                 response = @client.post_data(documents_json)
                 if is_successfully_posted(response)
                     @logger.info("Successfully sent #{amount_of_documents} logs into custom log analytics table[#{@logstashLoganalyticsConfiguration.custom_log_table_name}] after resending.")
                 else
-                    @logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMITION_DELAY)}")
-                    resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMITION_DELAY))
+                    @logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY)}")
+                    resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY))
                 end
             rescue Exception => ex
-                @logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMITION_DELAY)}")
-                resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMITION_DELAY))
+                @logger.debug("Resending #{amount_of_documents} documents failed, will try to resend for #{(remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY)}")
+                resend_message(documents_json, amount_of_documents, (remaining_duration - @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY))
             end
         else 
             @logger.error("Could not resend #{amount_of_documents} documents, message is dropped.")

data/lib/logstash/logAnalyticsClient/logstashLoganalyticsConfiguration.rb

@@ -28,8 +28,11 @@ class LogstashLoganalyticsOutputConfiguration
         elsif @workspace_id.empty? or @workspace_key.empty? or @custom_log_table_name.empty? 
             raise ArgumentError, "Malformed configuration , the following arguments can not be null or empty.[workspace_id=#{@workspace_id} , workspace_key=#{@workspace_key} , custom_log_table_name=#{@custom_log_table_name}]"
 
-        elsif not @custom_log_table_name.match(/^[[:alpha:]]+$/)
-            raise ArgumentError, 'custom_log_table_name must be only alpha characters.' 
+        elsif not @custom_log_table_name.match(/^[[:alpha:][:digit:]_]+$/)
+            raise ArgumentError, 'custom_log_table_name must be only alpha characters, numbers and underscore.'
+
+        elsif @custom_log_table_name.length > 100
+            raise ArgumentError, 'custom_log_table_name must not exceed 100 characters.'
 
         elsif custom_log_table_name.empty?
             raise ArgumentError, 'custom_log_table_name should not be empty.' 

data/lib/logstash/outputs/microsoft-logstash-output-azure-loganalytics.rb

@@ -19,7 +19,8 @@ class LogStash::Outputs::AzureLogAnalytics < LogStash::Outputs::Base
   config :workspace_key, :validate => :string, :required => true
 
   # The name of the event type that is being submitted to Log Analytics. 
-  # This must be only alpha characters.
+  # This must be only alpha characters, numbers and underscore.
+  # This must not exceed 100 characters.
   # Table name under custom logs in which the data will be inserted
   config :custom_log_table_name, :validate => :string, :required => true
 
@@ -102,6 +103,9 @@ class LogStash::Outputs::AzureLogAnalytics < LogStash::Outputs::Base
       keys_intersection.each do |key|
         document[key] = event_hash[key]
       end
+      if document.keys.length < 1
+        @logger.warn("No keys found, message is dropped. Plugin keys: #{@key_names}, Event keys: #{event_hash}. The event message do not match event expected structre. Please edit key_names section in output plugin and try again.")
+      end
     else
       document = event_hash
     end

data/microsoft-logstash-output-azure-loganalytics.gemspec

@@ -1,12 +1,12 @@
 Gem::Specification.new do |s|
   s.name = 'microsoft-logstash-output-azure-loganalytics'
   s.version    =  File.read("VERSION").strip
-  s.authors = ["Ron Marsiano"]
+  s.authors = ["Ron Marsiano", "Haim Rubinstein"]
   s.email = "romarsia@outlook.com"
   s.summary = %q{Azure Sentinel provides a new output plugin for Logstash. Using this output plugin, you will be able to send any log you want using Logstash to the Azure Sentinel/Log Analytics workspace}
   s.description = s.summary
   s.homepage = "https://github.com/Azure/Azure-Sentinel"
-  s.licenses = ["Apache License (2.0)"]
+  s.licenses = ["MIT"]
   s.require_paths = ["lib"]
 
   # Files
@@ -19,7 +19,6 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "rest-client", ">= 1.8.0"
-  s.add_runtime_dependency "azure-loganalytics-datacollector-api", ">= 0.1.5"
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency "logstash-codec-plain"
   s.add_development_dependency "logstash-devutils"

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: microsoft-logstash-output-azure-loganalytics
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Ron Marsiano
+- Haim Rubinstein
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-25 00:00:00.000000000 Z
+date: 2020-08-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -24,20 +25,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.8.0
-- !ruby/object:Gem::Dependency
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.1.5
-  name: azure-loganalytics-datacollector-api
-  prerelease: false
-  type: :runtime
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.1.5
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -96,6 +83,7 @@ extra_rdoc_files: []
 files:
 - CHANGELOG.md
 - Gemfile
+- LICENSE
 - README.md
 - VERSION
 - lib/logstash/logAnalyticsClient/logAnalyticsClient.rb
@@ -106,7 +94,7 @@ files:
 - spec/outputs/azure_loganalytics_spec.rb
 homepage: https://github.com/Azure/Azure-Sentinel
 licenses:
-- Apache License (2.0)
+- MIT
 metadata:
   logstash_plugin: 'true'
   logstash_group: output