microsoft-sentinel-log-analytics-logstash-output-plugin 1.1.0 → 1.1.4

data/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb

@@ -1,110 +1,116 @@
-# encoding: utf-8
-require "logstash/outputs/base"
-require "logstash/namespace"
-require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
-require "logstash/sentinel_la/sampleFileCreator"
-require "logstash/sentinel_la/logsSender"
-
-
-class LogStash::Outputs::MicrosoftSentinelOutput < LogStash::Outputs::Base
-
-  config_name "microsoft-sentinel-log-analytics-logstash-output-plugin"
-  
-  # Stating that the output plugin will run in concurrent mode
-  concurrency :shared
-
-  # Your registered app ID
-  config :client_app_Id, :validate => :string
-
-  # The registered app's secret, required by Azure Loganalytics REST API
-  config :client_app_secret, :validate => :string
-
-  # Your Operations Management Suite Tenant ID
-  config :tenant_id, :validate => :string
-
-  # Your data collection rule endpoint
-  config :data_collection_endpoint, :validate => :string
-
-  # Your data collection rule ID
-  config :dcr_immutable_id, :validate => :string
-
-  # Your dcr data stream name
-  config :dcr_stream_name, :validate => :string
-
-  # Subset of keys to send to the Azure Loganalytics workspace
-  config :key_names, :validate => :array, :default => []
-
-  # Max number of seconds to wait between flushes. Default 5
-  config :plugin_flush_interval, :validate => :number, :default => 5
-
-  # Factor for adding to the amount of messages sent
-  config :decrease_factor, :validate => :number, :default => 100
-
-  # This will trigger message amount resizing in a REST request to LA
-  config :amount_resizing, :validate => :boolean, :default => true
-
-  # Setting the default amount of messages sent                                                                                                    
-  # it this is set with amount_resizing=false --> each message will have max_items
-  config :max_items, :validate => :number, :default => 2000
-
-  # Setting default proxy to be used for all communication with azure
-  config :proxy, :validate => :string
-  
-  # Setting proxy_aad to be used for communicating with azure active directory service
-  config :proxy_aad, :validate => :string
-  
-  # Setting proxy to be used for the LogAnalytics endpoint REST client
-  config :proxy_endpoint, :validate => :string
-
-  # This will set the amount of time given for retransmitting messages once sending is failed
-  config :retransmission_time, :validate => :number, :default => 10
-
-  # Compress the message body before sending to LA
-  config :compress_data, :validate => :boolean, :default => false
-
-  # Generate sample file from incoming events
-  config :create_sample_file, :validate => :boolean, :default => false
-
-  # Path where to place the sample file created
-  config :sample_file_path, :validate => :string
-
-  public
-  def register
-    @logstash_configuration= build_logstash_configuration()
-	
-    # Validate configuration correctness 
-    @logstash_configuration.validate_configuration()
-
-    @events_handler = @logstash_configuration.create_sample_file ?
-                        LogStash::Outputs::MicrosoftSentinelOutputInternal::SampleFileCreator::new(@logstash_configuration) :
-                        LogStash::Outputs::MicrosoftSentinelOutputInternal::LogsSender::new(@logstash_configuration)
-  end # def register
-
-  def multi_receive(events)
-    @events_handler.handle_events(events)
-  end # def multi_receive
-
-  def close
-    @events_handler.close
-  end
-
-  #private 
-  private
-
-  # Building the logstash object configuration from the output configuration provided by the user
-  # Return LogstashLoganalyticsOutputConfiguration populated with the configuration values
-  def build_logstash_configuration()
-    logstash_configuration= LogStash::Outputs::MicrosoftSentinelOutputInternal::LogstashLoganalyticsOutputConfiguration::new(@client_app_Id, @client_app_secret, @tenant_id, @data_collection_endpoint, @dcr_immutable_id, @dcr_stream_name, @compress_data, @create_sample_file, @sample_file_path, @logger)
-    logstash_configuration.key_names = @key_names
-    logstash_configuration.plugin_flush_interval = @plugin_flush_interval
-    logstash_configuration.decrease_factor = @decrease_factor
-    logstash_configuration.amount_resizing = @amount_resizing
-    logstash_configuration.max_items = @max_items
-    logstash_configuration.proxy_aad = @proxy_aad || @proxy || ENV['http_proxy']
-    logstash_configuration.proxy_endpoint = @proxy_endpoint || @proxy || ENV['http_proxy']
-    logstash_configuration.retransmission_time = @retransmission_time
-    
-    return logstash_configuration
-  end # def build_logstash_configuration
-
-end # class LogStash::Outputs::MicrosoftSentinelOutput
+# encoding: utf-8
+require "logstash/outputs/base"
+require "logstash/namespace"
+require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
+require "logstash/sentinel_la/sampleFileCreator"
+require "logstash/sentinel_la/logsSender"
+
+
+class LogStash::Outputs::MicrosoftSentinelOutput < LogStash::Outputs::Base
+
+  config_name "microsoft-sentinel-log-analytics-logstash-output-plugin"
+  
+  # Stating that the output plugin will run in concurrent mode
+  concurrency :shared
+
+  # Your registered app ID
+  config :client_app_Id, :validate => :string
+
+  # The registered app's secret, required by Azure Loganalytics REST API
+  config :client_app_secret, :validate => :string
+
+  # Your Operations Management Suite Tenant ID
+  config :tenant_id, :validate => :string
+
+  # Your data collection rule endpoint
+  config :data_collection_endpoint, :validate => :string
+
+  # Your data collection rule ID
+  config :dcr_immutable_id, :validate => :string
+
+  # Your dcr data stream name
+  config :dcr_stream_name, :validate => :string
+
+  # Subset of keys to send to the Azure Loganalytics workspace
+  config :key_names, :validate => :array, :default => []
+
+  # Max number of seconds to wait between flushes. Default 5
+  config :plugin_flush_interval, :validate => :number, :default => 5
+
+  # Factor for adding to the amount of messages sent
+  config :decrease_factor, :validate => :number, :default => 100
+
+  # This will trigger message amount resizing in a REST request to LA
+  config :amount_resizing, :validate => :boolean, :default => true
+
+  # Setting the default amount of messages sent                                                                                                    
+  # it this is set with amount_resizing=false --> each message will have max_items
+  config :max_items, :validate => :number, :default => 2000
+
+  # Setting default proxy to be used for all communication with azure
+  config :proxy, :validate => :string
+  
+  # Setting proxy_aad to be used for communicating with azure active directory service
+  config :proxy_aad, :validate => :string
+  
+  # Setting proxy to be used for the LogAnalytics endpoint REST client
+  config :proxy_endpoint, :validate => :string
+
+  # This will set the amount of time given for retransmitting messages once sending is failed
+  config :retransmission_time, :validate => :number, :default => 10
+
+  # Compress the message body before sending to LA
+  config :compress_data, :validate => :boolean, :default => false
+
+  # Generate sample file from incoming events
+  config :create_sample_file, :validate => :boolean, :default => false
+
+  # Path where to place the sample file created
+  config :sample_file_path, :validate => :string
+
+  # Used to specify the name of the Azure cloud that is being used. By default, the value is set to "AzureCloud", which
+  # is the public Azure cloud. However, you can specify a different Azure cloud if you are
+  # using a different environment, such as Azure Government or Azure China.
+  config :azure_cloud, :validate => :string
+
+  public
+  def register
+    @logstash_configuration= build_logstash_configuration()
+	
+    # Validate configuration correctness 
+    @logstash_configuration.validate_configuration()
+
+    @events_handler = @logstash_configuration.create_sample_file ?
+                        LogStash::Outputs::MicrosoftSentinelOutputInternal::SampleFileCreator::new(@logstash_configuration) :
+                        LogStash::Outputs::MicrosoftSentinelOutputInternal::LogsSender::new(@logstash_configuration)
+  end # def register
+
+  def multi_receive(events)
+    @events_handler.handle_events(events)
+  end # def multi_receive
+
+  def close
+    @events_handler.close
+  end
+
+  #private 
+  private
+
+  # Building the logstash object configuration from the output configuration provided by the user
+  # Return LogstashLoganalyticsOutputConfiguration populated with the configuration values
+  def build_logstash_configuration()
+    logstash_configuration= LogStash::Outputs::MicrosoftSentinelOutputInternal::LogstashLoganalyticsOutputConfiguration::new(@client_app_Id, @client_app_secret, @tenant_id, @data_collection_endpoint, @dcr_immutable_id, @dcr_stream_name, @compress_data, @create_sample_file, @sample_file_path, @logger)
+    logstash_configuration.key_names = @key_names
+    logstash_configuration.plugin_flush_interval = @plugin_flush_interval
+    logstash_configuration.decrease_factor = @decrease_factor
+    logstash_configuration.amount_resizing = @amount_resizing
+    logstash_configuration.max_items = @max_items
+    logstash_configuration.proxy_aad = @proxy_aad || @proxy || ENV['http_proxy']
+    logstash_configuration.proxy_endpoint = @proxy_endpoint || @proxy || ENV['http_proxy']
+    logstash_configuration.retransmission_time = @retransmission_time
+    logstash_configuration.azure_cloud = @azure_cloud || "AzureCloud"
+    
+    return logstash_configuration
+  end # def build_logstash_configuration
+
+end # class LogStash::Outputs::MicrosoftSentinelOutput

data/lib/logstash/sentinel_la/logAnalyticsAadTokenProvider.rb

@@ -1,16 +1,16 @@
 # encoding: utf-8
 require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
-require 'rest-client'
 require 'json'
 require 'openssl'
 require 'base64'
 require 'time'
+require 'excon'
 
 module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
 class LogAnalyticsAadTokenProvider
   def initialize (logstashLoganalyticsConfiguration)
-    scope = CGI.escape("https://monitor.azure.com//.default")
-    @aad_uri = "https://login.microsoftonline.com"
+    scope = CGI.escape("#{logstashLoganalyticsConfiguration.get_monitor_endpoint}//.default")
+    @aad_uri = logstashLoganalyticsConfiguration.get_aad_endpoint
     @token_request_body = sprintf("client_id=%s&scope=%s&client_secret=%s&grant_type=client_credentials", logstashLoganalyticsConfiguration.client_app_Id, scope, logstashLoganalyticsConfiguration.client_app_secret)
     @token_request_uri = sprintf("%s/%s/oauth2/v2.0/token",@aad_uri, logstashLoganalyticsConfiguration.tenant_id)
     @token_state = {
@@ -64,14 +64,13 @@ class LogAnalyticsAadTokenProvider
     while true
       begin
         # Post REST request 
-        response = RestClient::Request.execute(method: :post, url: @token_request_uri, payload: @token_request_body, headers: headers,
-                                              proxy: @logstashLoganalyticsConfiguration.proxy_aad)
-                    
-        if (response.code == 200 || response.code == 201)
+        response = Excon.post(@token_request_uri, :body => @token_request_body, :headers => headers, :proxy => @logstashLoganalyticsConfiguration.proxy_aad, expects: [200, 201])
+
+        if (response.status == 200 || response.status == 201)
           return JSON.parse(response.body)
         end
-      rescue RestClient::ExceptionWithResponse => ewr
-        @logger.error("Exception while authenticating with AAD API ['#{ewr.response}']")          
+      rescue Excon::Error::HTTPStatus => ex
+        @logger.error("Error while authenticating with AAD [#{ex.class}: '#{ex.response.status}', Response: '#{ex.response.body}']")
       rescue Exception => ex          
         @logger.trace("Exception while authenticating with AAD API ['#{ex}']")
       end

data/lib/logstash/sentinel_la/logAnalyticsClient.rb

@@ -1,11 +1,11 @@
 # encoding: utf-8
 require "logstash/sentinel_la/version"
-require 'rest-client'
 require 'json'
 require 'openssl'
 require 'base64'
 require 'time'
 require 'rbconfig'
+require 'excon'
 
 module LogStash; module Outputs; class MicrosoftSentinelOutputInternal 
 class LogAnalyticsClient
@@ -14,7 +14,7 @@ require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
 require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
 
 
-  def initialize (logstashLoganalyticsConfiguration)
+  def initialize(logstashLoganalyticsConfiguration)
     @logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
     @logger = @logstashLoganalyticsConfiguration.logger
 
@@ -22,28 +22,78 @@ require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
     @uri = sprintf("%s/dataCollectionRules/%s/streams/%s?api-version=%s",@logstashLoganalyticsConfiguration.data_collection_endpoint, @logstashLoganalyticsConfiguration.dcr_immutable_id, logstashLoganalyticsConfiguration.dcr_stream_name, la_api_version)
     @aadTokenProvider=LogAnalyticsAadTokenProvider::new(logstashLoganalyticsConfiguration)
     @userAgent = getUserAgent()
+    
+    # Auto close connection after 60 seconds of inactivity
+    @connectionAutoClose = {
+      :last_use => Time.now,
+      :lock => Mutex.new,
+      :max_idel_time => 60,
+      :is_closed => true
+    }
+
+    @timer = Thread.new do
+      loop do
+        sleep @connectionAutoClose[:max_idel_time] / 2
+        if is_connection_stale?
+          @connectionAutoClose[:lock].synchronize do
+            if is_connection_stale?
+              reset_connection
+            end
+          end
+        end
+      end
+    end
+
+   
   end # def initialize
 
   # Post the given json to Azure Loganalytics
   def post_data(body)
     raise ConfigError, 'no json_records' if body.empty?
+    response = nil
+    
+    @connectionAutoClose[:lock].synchronize do 
+      #close connection if its stale
+      if is_connection_stale?
+        reset_connection
+      end
+      if @connectionAutoClose[:is_closed]
+        open_connection
+      end
+      
+      headers = get_header()
+      # Post REST request
+      response = @connection.request(method: :post, body: body, headers: headers)
+      @connectionAutoClose[:is_closed] = false
+      @connectionAutoClose[:last_use] = Time.now
+    end
+    return response
 
-    # Create REST request header
-    headers = get_header()
-
-    # Post REST request
-
-    return RestClient::Request.execute(method: :post, url: @uri, payload: body, headers: headers,
-                                        proxy: @logstashLoganalyticsConfiguration.proxy_endpoint, timeout: 120)
   end # def post_data
 
   # Static function to return if the response is OK or else
   def self.is_successfully_posted(response)
-    return (response.code >= 200 && response.code < 300 ) ? true : false
+    return (response.status >= 200 && response.status < 300 ) ? true : false
   end # def self.is_successfully_posted
 
   private 
 
+  def open_connection
+    @connection = Excon.new(@uri, :persistent => true, :proxy => @logstashLoganalyticsConfiguration.proxy_endpoint, 
+          expects: [200, 201, 202, 204, 206, 207, 208, 226, 300, 301, 302, 303, 304, 305, 306, 307, 308],
+          read_timeout: 240, write_timeout: 240, connect_timeout: 240)
+    @logger.trace("Connection to Azure LogAnalytics was opened.");
+  end
+
+  def reset_connection
+    @connection.reset
+    @connectionAutoClose[:is_closed] = true    
+    @logger.trace("Connection to Azure LogAnalytics was closed due to inactivity.");
+  end
+
+  def is_connection_stale?
+    return Time.now - @connectionAutoClose[:last_use] > @connectionAutoClose[:max_idel_time] && !@connectionAutoClose[:is_closed]
+  end
   # Create a header for the given length 
   def get_header()
     # Getting an authorization token bearer (if the token is expired, the method will post a request to get a new authorization token)

data/lib/logstash/sentinel_la/logStashEventsBatcher.rb

@@ -2,7 +2,7 @@
 
 require "logstash/sentinel_la/logAnalyticsClient"
 require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
-
+require "excon"
 # LogStashAutoResizeBuffer class setting a resizable buffer which is flushed periodically
 # The buffer resize itself according to Azure Loganalytics  and configuration limitations
 module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
@@ -59,34 +59,35 @@ class LogStashEventsBatcher
                     return
                 else
                     @logger.trace("Rest client response ['#{response}']")
-                    @logger.error("#{api_name} request failed. Error code: #{response.code} #{try_get_info_from_error_response(response)}")
+                    @logger.error("#{api_name} request failed. Error code: #{response.pree} #{try_get_info_from_error_response(response)}")
                 end
-            rescue RestClient::Exceptions::Timeout => eto
-                @logger.trace("Timeout exception ['#{eto.display}'] when posting data to #{api_name}. Rest client response ['#{eto.response.display}']. [amount_of_documents=#{amount_of_documents}]")
-                @logger.error("Timeout exception while posting data to #{api_name}. [Exception: '#{eto}'] [amount of documents=#{amount_of_documents}]'")
-                force_retry = true
+                rescue Excon::Error::HTTPStatus => ewr
+                    response = ewr.response
+                    @logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
+                    @logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr.class}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
 
-            rescue RestClient::ExceptionWithResponse => ewr
-                response = ewr.response
-                @logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{ewr.response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
-                @logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
+                    if ewr.class ==  Excon::Error::BadRequest
+                        @logger.info("Not trying to resend since exception http code is 400")
+                        return                
+                    elsif ewr.class ==  Excon::Error::RequestTimeout
+                        force_retry = true
+                    elsif ewr.class ==  Excon::Error::TooManyRequests
+                        # throttling detected, backoff before resending
+                        parsed_retry_after = response.data[:headers].include?('Retry-After') ? response.data[:headers]['Retry-After'].to_i : 0
+                        seconds_to_sleep = parsed_retry_after > 0 ? parsed_retry_after : 30
 
-                if ewr.http_code.to_f == 400
-                    @logger.info("Not trying to resend since exception http code is #{ewr.http_code}")
-                    return                
-                elsif ewr.http_code.to_f == 408
+                        #force another retry even if the next iteration of the loop will be after the retransmission_timeout
+                        force_retry = true
+                    end               
+                rescue Excon::Error::Socket => ex
+                    @logger.trace("Exception: '#{ex.class.name}]#{ex} in posting data to #{api_name}. [amount_of_documents=#{amount_of_documents}]'")
                     force_retry = true
-                elsif ewr.http_code.to_f == 429
-                    # thrutteling detected, backoff before resending
-                    parsed_retry_after = response.headers.include?(:retry_after) ? response.headers[:retry_after].to_i : 0
-                    seconds_to_sleep = parsed_retry_after > 0 ? parsed_retry_after : 30
-
-                    #force another retry even if the next iteration of the loop will be after the retransmission_timeout
+                rescue Excon::Error::Timeout => ex
+                    @logger.trace("Exception: '#{ex.class.name}]#{ex} in posting data to #{api_name}. [amount_of_documents=#{amount_of_documents}]'")
                     force_retry = true
-                end
-            rescue Exception => ex
-                @logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")       
-                @logger.error("Exception in posting data to #{api_name}. [Exception: '#{ex}, amount of documents=#{amount_of_documents}]'")
+                rescue Exception => ex
+                    @logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")       
+                    @logger.error("Exception in posting data to #{api_name}. [Exception: '[#{ex.class.name}]#{ex}, amount of documents=#{amount_of_documents}]'")
             end
             is_retry = true
             @logger.info("Retrying transmission to #{api_name} in #{seconds_to_sleep} seconds.")
@@ -110,8 +111,8 @@ class LogStashEventsBatcher
     def get_request_id_from_response(response)
         output =""
         begin
-            if !response.nil? && response.headers.include?(:x_ms_request_id)
-                output += response.headers[:x_ms_request_id]
+            if !response.nil? && response.data[:headers].include?("x-ms-request-id")
+                output += response.data[:headers]["x-ms-request-id"]
             end
         rescue Exception => ex
             @logger.debug("Error while getting reqeust id from success response headers: #{ex.display}")
@@ -124,12 +125,13 @@ class LogStashEventsBatcher
         begin
             output = ""
             if !response.nil?                
-                if response.headers.include?(:x_ms_error_code)
-                    output += " [ms-error-code header: #{response.headers[:x_ms_error_code]}]"
+                if response.data[:headers].include?("x-ms-error-code")
+                    output += " [ms-error-code header: #{response.data[:headers]["x-ms-error-code"]}]"
             end
-            if response.headers.include?(:x_ms_request_id)
-                output += " [x-ms-request-id header: #{response.headers[:x_ms_request_id]}]"
+            if response.data[:headers].include?("x-ms-request-id")
+                output += " [x-ms-request-id header: #{response.data[:headers]["x-ms-request-id"]}]"
             end
+            output += " [response body: #{response.data[:body]}]"            
         end        
             return output
         rescue Exception => ex

data/lib/logstash/sentinel_la/logstashLoganalyticsConfiguration.rb

@@ -23,6 +23,12 @@ class LogstashLoganalyticsOutputConfiguration
 
         # Taking 4K safety buffer
         @MAX_SIZE_BYTES = @loganalytics_api_data_limit - 10000
+
+        @azure_clouds = {
+            "AzureCloud" => {"aad" => "https://login.microsoftonline.com", "monitor" => "https://monitor.azure.com"},
+            "AzureChinaCloud" => {"aad" => "https://login.chinacloudapi.cn", "monitor" => "https://monitor.azure.cn"},
+            "AzureUSGovernment" => {"aad" => "https://login.microsoftonline.us", "monitor" => "https://monitor.azure.us"}
+        }.freeze
     end
 	
 	def validate_configuration()
@@ -68,6 +74,9 @@ class LogstashLoganalyticsOutputConfiguration
           if @key_names.length > 500
               raise ArgumentError, 'There are over 500 key names listed to be included in the events sent to Azure Loganalytics, which exceeds the limit of columns that can be define in each table in log analytics.'
           end
+          if !@azure_clouds.key?(@azure_cloud)
+            raise ArgumentError, "The specified Azure cloud #{@azure_cloud} is not supported. Supported clouds are: #{@azure_clouds.keys.join(", ")}."
+          end
       end
         @logger.info("Azure Loganalytics configuration was found valid.")
         # If all validation pass then configuration is valid
@@ -159,10 +168,6 @@ class LogstashLoganalyticsOutputConfiguration
         @MIN_MESSAGE_AMOUNT
     end
     
-    def max_items=(new_max_items)
-        @max_items = new_max_items
-    end
-
     def key_names=(new_key_names)
         @key_names = new_key_names
     end
@@ -218,5 +223,21 @@ class LogstashLoganalyticsOutputConfiguration
     def sample_file_path=(new_sample_file_path)
         @sample_file_path = new_sample_file_path
     end
+
+    def azure_cloud
+        @azure_cloud
+    end
+
+    def azure_cloud=(new_azure_cloud)
+        @azure_cloud = new_azure_cloud
+    end
+
+    def get_aad_endpoint
+        @azure_clouds[@azure_cloud]["aad"]
+    end
+    
+    def get_monitor_endpoint
+        @azure_clouds[@azure_cloud]["monitor"]
+    end
 end
 end ;end ;end 

data/lib/logstash/sentinel_la/version.rb

@@ -1,10 +1,10 @@
 module LogStash; module Outputs;
 class MicrosoftSentinelOutputInternal
-  VERSION_INFO = [1, 1, 0].freeze
+  VERSION_INFO = [1, 1, 4].freeze
   VERSION = VERSION_INFO.map(&:to_s).join('.').freeze
 
   def self.version
     VERSION
   end
 end
-end;end
+end;end

data/microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec

@@ -1,27 +1,27 @@
-require File.expand_path('../lib/logstash/sentinel_la/version', __FILE__)
-
-Gem::Specification.new do |s|
-  s.name = 'microsoft-sentinel-log-analytics-logstash-output-plugin'
-  s.version = LogStash::Outputs::MicrosoftSentinelOutputInternal::VERSION
-  s.authors = ["Microsoft Sentinel"]
-  s.email   = 'AzureSentinel@microsoft.com'
-  s.summary = %q{Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.}
-  s.description = s.summary
-  s.homepage = "https://github.com/Azure/Azure-Sentinel"
-  s.licenses = ["MIT"]
-  s.require_paths = ["lib"]
-
-  # Files
-  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
-   # Tests
-  s.test_files = s.files.grep(%r{^(test|spec|features)/})
-
-  # Special flag to let us know this is actually a logstash plugin
-  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "output" }
-
-  # Gem dependencies
-  s.add_runtime_dependency "rest-client", ">= 2.1.0"
-  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency "logstash-codec-plain"
-  s.add_development_dependency "logstash-devutils"
-end
+require File.expand_path('../lib/logstash/sentinel_la/version', __FILE__)
+
+Gem::Specification.new do |s|
+  s.name = 'microsoft-sentinel-log-analytics-logstash-output-plugin'
+  s.version = LogStash::Outputs::MicrosoftSentinelOutputInternal::VERSION
+  s.authors = ["Microsoft Sentinel"]
+  s.email   = 'AzureSentinel@microsoft.com'
+  s.summary = %q{Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.}
+  s.description = s.summary
+  s.homepage = "https://github.com/Azure/Azure-Sentinel"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "output" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency "logstash-codec-plain"
+  s.add_runtime_dependency "excon", ">= 0.88.0", "< 1.0.0"
+  s.add_development_dependency "logstash-devutils"
+end