microsoft-sentinel-log-analytics-logstash-output-plugin 1.1.0 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -7
- data/README.md +8 -6
- data/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb +6 -0
- data/lib/logstash/sentinel_la/logAnalyticsAadTokenProvider.rb +2 -2
- data/lib/logstash/sentinel_la/logAnalyticsClient.rb +2 -2
- data/lib/logstash/sentinel_la/logstashLoganalyticsConfiguration.rb +25 -4
- data/lib/logstash/sentinel_la/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bc9cee055d5aa8f90acde6ed20eacccf0d9e9a36fa9a5ebd1c916d85a410e628
|
|
4
|
+
data.tar.gz: '081cd8f53b716eeed931c417ce6fc7a13e3d2d1fe9acf0050858e5b87918d4ff'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 77753b09f6c4631fb2e2eb1e0ba5dd4eb4c33840901226f1caa08043b39caa77497cdfd42adb7ac6a857b22e3bd98512fff8e3e1ba4d6b7916eb16e822f752ce
|
|
7
|
+
data.tar.gz: 9ae33cb6bb9c96c19011b4a21f9ac943f75df18b99761023cb4ba00c84584a6ad0c05d8b0d5c0819993b434e2f6d14da1e62f92ba2f44a11aa6eeed22cbe0b9c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,13 +1,14 @@
|
|
|
1
1
|
## 1.0.0
|
|
2
2
|
* Initial release for output plugin for logstash to Microsoft Sentinel. This is done with the Log Analytics DCR based API.
|
|
3
3
|
|
|
4
|
-
## 1.0
|
|
5
|
-
* Upgrade the rest-client dependency minimum version to 2.1.0
|
|
6
|
-
* Allow setting different proxy values for api connections.
|
|
7
|
-
|
|
8
|
-
## 1.0.6
|
|
4
|
+
## 1.1.0
|
|
9
5
|
* Increase timeout for read/open connections to 120 seconds.
|
|
10
6
|
* Add error handling for when connection timeout occurs.
|
|
7
|
+
* Upgrade the rest-client dependency minimum version to 2.1.0.
|
|
8
|
+
* Allow setting different proxy values for api connections.
|
|
9
|
+
* Upgrade version for ingestion api to 2023-01-01.
|
|
10
|
+
* Rename the plugin to microsoft-sentinel-log-analytics-logstash-output-plugin.
|
|
11
11
|
|
|
12
|
-
## 1.1.
|
|
13
|
-
*
|
|
12
|
+
## 1.1.1
|
|
13
|
+
* Support China and US Government Azure sovereign clouds.
|
|
14
|
+
* Increase timeout for read/open connections to 240 seconds.
|
data/README.md
CHANGED
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.
|
|
4
4
|
You may send logs to custom or standard tables.
|
|
5
5
|
|
|
6
|
-
Plugin version: v1.0
|
|
7
|
-
Released on: 2023-
|
|
6
|
+
Plugin version: v1.1.0
|
|
7
|
+
Released on: 2023-07-23
|
|
8
8
|
|
|
9
9
|
This plugin is currently in development and is free to use. We welcome contributions from the open source community on this project, and we request and appreciate feedback from users.
|
|
10
10
|
|
|
@@ -23,8 +23,9 @@ Microsoft Sentinel provides Logstash output plugin to Log analytics workspace us
|
|
|
23
23
|
Install the microsoft-sentinel-log-analytics-logstash-output-plugin, use [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).
|
|
24
24
|
|
|
25
25
|
Microsoft Sentinel's Logstash output plugin supports the following versions
|
|
26
|
-
-
|
|
27
|
-
-
|
|
26
|
+
- 7.0 - 7.17.13
|
|
27
|
+
- 8.0 - 8.9
|
|
28
|
+
- 8.11
|
|
28
29
|
|
|
29
30
|
Please note that when using Logstash 8, it is recommended to disable ECS in the pipeline. For more information refer to [Logstash documentation.](<https://www.elastic.co/guide/en/logstash/8.4/ecs-ls.html>)
|
|
30
31
|
|
|
@@ -41,8 +42,8 @@ output {
|
|
|
41
42
|
}
|
|
42
43
|
```
|
|
43
44
|
Note: make sure that the path exists before creating the sample file.
|
|
44
|
-
2) Start Logstash. The plugin will
|
|
45
|
-
(for example: "c:\temp\sampleFile1648453501.json")
|
|
45
|
+
2) Start Logstash. The plugin will collect up to 10 records to a sample.
|
|
46
|
+
3) The file named "sampleFile<epoch seconds>.json" in the configured path will be created once there are 10 events to sample or when the Logstash process exited gracefully. (for example: "c:\temp\sampleFile1648453501.json").
|
|
46
47
|
|
|
47
48
|
|
|
48
49
|
### Configurations:
|
|
@@ -124,6 +125,7 @@ output {
|
|
|
124
125
|
- **proxy** - String, Empty by default. Specify which proxy URL to use for API calls for all of the communications with Azure.
|
|
125
126
|
- **proxy_aad** - String, Empty by default. Specify which proxy URL to use for API calls for the Azure Active Directory service. Overrides the proxy setting.
|
|
126
127
|
- **proxy_endpoint** - String, Empty by default. Specify which proxy URL to use when sending log data to the endpoint. Overrides the proxy setting.
|
|
128
|
+
- **azure_cloud** - String, Empty by default. Used to specify the name of the Azure cloud that is being used, AzureCloud is set as default. Available values are: AzureCloud, AzureChinaCloud and AzureUSGovernment.
|
|
127
129
|
|
|
128
130
|
#### Note: When setting an empty string as a value for a proxy setting, it will unset any system wide proxy setting.
|
|
129
131
|
|
|
@@ -68,6 +68,11 @@ class LogStash::Outputs::MicrosoftSentinelOutput < LogStash::Outputs::Base
|
|
|
68
68
|
# Path where to place the sample file created
|
|
69
69
|
config :sample_file_path, :validate => :string
|
|
70
70
|
|
|
71
|
+
# Used to specify the name of the Azure cloud that is being used. By default, the value is set to "AzureCloud", which
|
|
72
|
+
# is the public Azure cloud. However, you can specify a different Azure cloud if you are
|
|
73
|
+
# using a different environment, such as Azure Government or Azure China.
|
|
74
|
+
config :azure_cloud, :validate => :string
|
|
75
|
+
|
|
71
76
|
public
|
|
72
77
|
def register
|
|
73
78
|
@logstash_configuration= build_logstash_configuration()
|
|
@@ -103,6 +108,7 @@ class LogStash::Outputs::MicrosoftSentinelOutput < LogStash::Outputs::Base
|
|
|
103
108
|
logstash_configuration.proxy_aad = @proxy_aad || @proxy || ENV['http_proxy']
|
|
104
109
|
logstash_configuration.proxy_endpoint = @proxy_endpoint || @proxy || ENV['http_proxy']
|
|
105
110
|
logstash_configuration.retransmission_time = @retransmission_time
|
|
111
|
+
logstash_configuration.azure_cloud = @azure_cloud || "AzureCloud"
|
|
106
112
|
|
|
107
113
|
return logstash_configuration
|
|
108
114
|
end # def build_logstash_configuration
|
|
@@ -9,8 +9,8 @@ require 'time'
|
|
|
9
9
|
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
|
|
10
10
|
class LogAnalyticsAadTokenProvider
|
|
11
11
|
def initialize (logstashLoganalyticsConfiguration)
|
|
12
|
-
scope = CGI.escape("
|
|
13
|
-
@aad_uri =
|
|
12
|
+
scope = CGI.escape("#{logstashLoganalyticsConfiguration.get_monitor_endpoint}//.default")
|
|
13
|
+
@aad_uri = logstashLoganalyticsConfiguration.get_aad_endpoint
|
|
14
14
|
@token_request_body = sprintf("client_id=%s&scope=%s&client_secret=%s&grant_type=client_credentials", logstashLoganalyticsConfiguration.client_app_Id, scope, logstashLoganalyticsConfiguration.client_app_secret)
|
|
15
15
|
@token_request_uri = sprintf("%s/%s/oauth2/v2.0/token",@aad_uri, logstashLoganalyticsConfiguration.tenant_id)
|
|
16
16
|
@token_state = {
|
|
@@ -14,7 +14,7 @@ require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
|
|
|
14
14
|
require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
|
|
15
15
|
|
|
16
16
|
|
|
17
|
-
def initialize
|
|
17
|
+
def initialize(logstashLoganalyticsConfiguration)
|
|
18
18
|
@logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
|
|
19
19
|
@logger = @logstashLoganalyticsConfiguration.logger
|
|
20
20
|
|
|
@@ -34,7 +34,7 @@ require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
|
|
|
34
34
|
# Post REST request
|
|
35
35
|
|
|
36
36
|
return RestClient::Request.execute(method: :post, url: @uri, payload: body, headers: headers,
|
|
37
|
-
proxy: @logstashLoganalyticsConfiguration.proxy_endpoint, timeout:
|
|
37
|
+
proxy: @logstashLoganalyticsConfiguration.proxy_endpoint, timeout: 240)
|
|
38
38
|
end # def post_data
|
|
39
39
|
|
|
40
40
|
# Static function to return if the response is OK or else
|
|
@@ -23,6 +23,12 @@ class LogstashLoganalyticsOutputConfiguration
|
|
|
23
23
|
|
|
24
24
|
# Taking 4K safety buffer
|
|
25
25
|
@MAX_SIZE_BYTES = @loganalytics_api_data_limit - 10000
|
|
26
|
+
|
|
27
|
+
@azure_clouds = {
|
|
28
|
+
"AzureCloud" => {"aad" => "https://login.microsoftonline.com", "monitor" => "https://monitor.azure.com"},
|
|
29
|
+
"AzureChinaCloud" => {"aad" => "https://login.chinacloudapi.cn", "monitor" => "https://monitor.azure.cn"},
|
|
30
|
+
"AzureUSGovernment" => {"aad" => "https://login.microsoftonline.us", "monitor" => "https://monitor.azure.us"}
|
|
31
|
+
}.freeze
|
|
26
32
|
end
|
|
27
33
|
|
|
28
34
|
def validate_configuration()
|
|
@@ -68,6 +74,9 @@ class LogstashLoganalyticsOutputConfiguration
|
|
|
68
74
|
if @key_names.length > 500
|
|
69
75
|
raise ArgumentError, 'There are over 500 key names listed to be included in the events sent to Azure Loganalytics, which exceeds the limit of columns that can be define in each table in log analytics.'
|
|
70
76
|
end
|
|
77
|
+
if !@azure_clouds.key?(@azure_cloud)
|
|
78
|
+
raise ArgumentError, "The specified Azure cloud #{@azure_cloud} is not supported. Supported clouds are: #{@azure_clouds.keys.join(", ")}."
|
|
79
|
+
end
|
|
71
80
|
end
|
|
72
81
|
@logger.info("Azure Loganalytics configuration was found valid.")
|
|
73
82
|
# If all validation pass then configuration is valid
|
|
@@ -159,10 +168,6 @@ class LogstashLoganalyticsOutputConfiguration
|
|
|
159
168
|
@MIN_MESSAGE_AMOUNT
|
|
160
169
|
end
|
|
161
170
|
|
|
162
|
-
def max_items=(new_max_items)
|
|
163
|
-
@max_items = new_max_items
|
|
164
|
-
end
|
|
165
|
-
|
|
166
171
|
def key_names=(new_key_names)
|
|
167
172
|
@key_names = new_key_names
|
|
168
173
|
end
|
|
@@ -218,5 +223,21 @@ class LogstashLoganalyticsOutputConfiguration
|
|
|
218
223
|
def sample_file_path=(new_sample_file_path)
|
|
219
224
|
@sample_file_path = new_sample_file_path
|
|
220
225
|
end
|
|
226
|
+
|
|
227
|
+
def azure_cloud
|
|
228
|
+
@azure_cloud
|
|
229
|
+
end
|
|
230
|
+
|
|
231
|
+
def azure_cloud=(new_azure_cloud)
|
|
232
|
+
@azure_cloud = new_azure_cloud
|
|
233
|
+
end
|
|
234
|
+
|
|
235
|
+
def get_aad_endpoint
|
|
236
|
+
@azure_clouds[@azure_cloud]["aad"]
|
|
237
|
+
end
|
|
238
|
+
|
|
239
|
+
def get_monitor_endpoint
|
|
240
|
+
@azure_clouds[@azure_cloud]["monitor"]
|
|
241
|
+
end
|
|
221
242
|
end
|
|
222
243
|
end ;end ;end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: microsoft-sentinel-log-analytics-logstash-output-plugin
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1.
|
|
4
|
+
version: 1.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Microsoft Sentinel
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-01-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rest-client
|
|
@@ -118,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
118
118
|
- !ruby/object:Gem::Version
|
|
119
119
|
version: '0'
|
|
120
120
|
requirements: []
|
|
121
|
-
rubygems_version: 3.
|
|
121
|
+
rubygems_version: 3.3.26
|
|
122
122
|
signing_key:
|
|
123
123
|
specification_version: 4
|
|
124
124
|
summary: Microsoft Sentinel provides a new output plugin for Logstash. Use this output
|