microsoft-sentinel-log-analytics-logstash-output-plugin 2.2.0-java → 2.3.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f77b193c8121a3b1e99f505cbf101c5f882f8bc307c7e44d5d23c26775230a3
-  data.tar.gz: d4ad2452b52b6c7e17e7ee60264eece406f38a45f0be65c84fea33e770134d6c
+  metadata.gz: 627bb4ae14cbb73ebfadd92ba9342f81fddba5f96a6537fd416da8ce6b19b322
+  data.tar.gz: 4b3c7f257296155d58cb48cffa520e992cfecb7028434c0ecef77823d99473df
 SHA512:
-  metadata.gz: 1994c3752c45290802f5979b00ca25ac27e3bf3d5dd6237741ff29332077b255f433857ab3485c57cccdf2f402a2d7efd25b357b61ead3eb3dcb26515e4a9a22
-  data.tar.gz: cd681f40f8fa06b4eda60015052cd247904acdaefea5dc9294cdb017b64ffa30b10f15d47dfab9b539714cfd7f14d7fa4dd6c39893c12e56bb8bd750678c83d2
+  metadata.gz: 380a333181a76006354d4c65899779d4f839eb7adc34aa188441f8dae073ab868cfc6fe559172066a514ad56c20cb41395e2bcfd24b0f61dc56556ae0692b66c
+  data.tar.gz: bd1566a0eba6ba8713bf415d329e1f0a09f494a3ec0301509b94a13ba49e50127956397805ee061f0a720b1173bbc091f894fe6b33ab3f84aafb62f4ec764026

data/CHANGELOG.md

@@ -0,0 +1,24 @@
+## 2.3.0
+- Added optional Id configuration value for telemetry.
+- Added DCR stream to sent-batches logging.
+- Enabled functionality with logstash 9.4.
+- Bumped dependency versions for external libraries (azure-sdk-bom, logback, slf4j, Netty).
+
+## 2.2.1
+- Adds info-level logging line when batches are successfully sent.
+
+## 2.2.0
+- Adds ability to use either new or old configuration values.
+
+## 2.1.2
+- Documentation updates.
+
+## 2.1.1
+- Improved efficiency.
+
+## 2.1.0
+- Fixed event normalization.
+
+## 2.0.0
+- Refactored the plugin from Ruby to Java.
+- Added ManagedIdentity authentication.

data/README.md

@@ -3,8 +3,8 @@
 Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.
 You may send logs to custom or standard tables.  
 
-Plugin version: v2.2.0  
-Released on: 2026-05-04  
+Plugin version: v2.3.0  
+Released on: 2026-06-17  
 
 This plugin is currently in development and is free to use. We request and appreciate feedback from users.  
 
@@ -19,18 +19,19 @@ This plugin is currently in development and is free to use. We request and appre
 
 Microsoft Sentinel provides Logstash output plugin to Log analytics workspace using DCR based logs API.  
 
-The plugin is published on [RubyGems](https://rubygems.org/gems/microsoft-sentinel-log-analytics-logstash-output-plugin). To install to an existing logstash installation, run `logstash-plugin install microsoft-sentinel-log-analytics-logstash-output-plugin`.  
+The plugin is published on [RubyGems](https://rubygems.org/gems/microsoft-sentinel-log-analytics-logstash-output-plugin/versions/2.2.2-java). To install to an existing logstash installation, run `logstash-plugin install microsoft-sentinel-log-analytics-logstash-output-plugin`.  
 
 If you do not have a direct internet connection, you can install the plugin to another logstash installation, and then export and import a plugin bundle to the offline host. For more information, see [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).  
 
 Microsoft Sentinel's Logstash output plugin supports the following versions  
 - 7.0 - 7.17.13  
-- 8.0 - 8.9  
-- 8.11 - 8.15  
-- 8.19.2  
-- 9.0.8  
-- 9.1.10  
-- 9.2.4 - 9.2.5  
+- 8.0 - 8.9 (NOTE: these versions require a security update, according to Logstash!)  
+- 8.11 - 8.15 (NOTE: these versions require a security update, according to Logstash!)  
+- 8.19.2 (NOTE: this version requires a security update, according to Logstash!)  
+- 9.0.8 (NOTE: this version requires a security update, according to Logstash!)  
+- 9.1.10 (NOTE: this version requires a security update, according to Logstash!)  
+- 9.2.4 - 9.2.5 (NOTE: these versions require a security update, according to Logstash! [Security Update](https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816))  
+- 9.3.3
 
 Please note that when using Logstash 8, it is recommended to disable ECS in the pipeline. For more information refer to [Logstash documentation.](<https://www.elastic.co/guide/en/logstash/8.4/ecs-ls.html>)  
 
@@ -94,15 +95,13 @@ To configure Microsoft Sentinel Logstash plugin you first need to create the DCR
 
 *Note:* The identity (service principal or managed identity) must have the **Monitoring Metrics Publisher** role on the target DCR:  
 
-    ```bash
     az role assignment create \
       --assignee <object-id-of-identity> \
       --role "Monitoring Metrics Publisher" \
       --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Insights/dataCollectionRules/<dcr-name>"
-    ```
 
 
-## 4. Configure the Output Plugin
+## 4. Configure Logstash configuration file
 
 Add the `microsoft-sentinel-log-analytics-logstash-output-plugin` block to the `output` section of your Logstash configuration file (e.g., `logstash.conf`). The plugin requires three values from your Azure DCR resources plus authentication credentials depending on your method.  
 
@@ -124,7 +123,6 @@ The plugin auto-detects the auth method based on which config values are present
 
 Provide `client_id`, `client_secret`, and `tenant_id` for your Azure App Registration / service principal.  
 
-    ```logstash
     output {
       microsoft-sentinel-log-analytics-logstash-output-plugin {
         data_collection_endpoint => "https://<your-dce-name>.<region>.ingest.monitor.azure.com"
@@ -135,14 +133,12 @@ Provide `client_id`, `client_secret`, and `tenant_id` for your Azure App Registr
         tenant_id                => "<your-azure-tenant-id>"
       }
     }
-    ```
 
 
 #### Option 2: Managed Identity
 
 When running on an Azure VM with a system-assigned managed identity, omit `client_id`, `client_secret`, and `tenant_id`. The plugin will automatically use the VM's managed identity.  
 
-    ```logstash
     output {
       microsoft-sentinel-log-analytics-logstash-output-plugin {
         data_collection_endpoint => "https://<your-dce-name>.<region>.ingest.monitor.azure.com"
@@ -150,13 +146,11 @@ When running on an Azure VM with a system-assigned managed identity, omit `clien
         stream_name              => "Custom-MyTableRawData_CL"
       }
     }
-    ```
 
 #### Option 3: Client Secret + Sovereign Cloud
 
 To authenticate against a sovereign cloud, add `azure_cloud`. Supported values: `AzurePublicCloud` (default), `AzureUSGovernment`, `AzureChinaCloud`, `AzureGermanyCloud`.  
 
-    ```logstash
     output {
       microsoft-sentinel-log-analytics-logstash-output-plugin {
         data_collection_endpoint => "https://<your-dce-ingestion-endpoint>"
@@ -168,11 +162,9 @@ To authenticate against a sovereign cloud, add `azure_cloud`. Supported values:
         azure_cloud              => "AzureUSGovernment"
       }
     }
-    ```
 
 #### Option 4: Managed Identity + Sovereign Cloud
 
-    ```logstash
     output {
       microsoft-sentinel-log-analytics-logstash-output-plugin {
         data_collection_endpoint => "https://<your-dce-ingestion-endpoint>"
@@ -181,7 +173,6 @@ To authenticate against a sovereign cloud, add `azure_cloud`. Supported values:
         azure_cloud              => "AzureUSGovernment"
       }
     }
-    ```
 ---
 Security notice: We recommend not to implicitly state client_id, client_secret, tenant_id, data_collection_endpoint, and dcr_id in your Logstash configuration for security reasons.  
                  It is best to store this sensitive information in a Logstash KeyStore as described here- ['Secrets Keystore'](<https://www.elastic.co/guide/en/logstash/current/keystore.html>)  
@@ -192,7 +183,6 @@ Security notice: We recommend not to implicitly state client_id, client_secret,
 
 A complete `logstash.conf` using client secret auth with a Beats input:  
 
-    ```logstash
     input {
       beats {
         port => 5044
@@ -212,7 +202,6 @@ A complete `logstash.conf` using client secret auth with a Beats input:
         tenant_id                => "72f988bf-86f1-41af-91ab-xxxxxxxxxxxx"
       }
     }
-    ```
 ---
 
 ## Optional Config Values
@@ -233,18 +222,17 @@ A complete `logstash.conf` using client secret auth with a Beats input:
 | `batcher_workers_count` | *(auto)* | Number of batcher threads |  
 | `sender_workers_count` | *(auto)* | Number of sender threads |  
 | `unifier_workers_count` | *(auto)* | Number of unifier threads |  
+| `id` | `None` | A custom identification tag to be added to sent-batches logs |  
 
 ## Known issues
  
 When using Logstash installed on a Docker image of Lite Ubuntu, the following warning may appear:  
 
-    ```
     java.lang.RuntimeException: getprotobyname_r failed
-    ```
 
 To resolve it, use the following commands to install the *netbase* package within your Dockerfile:  
-    ```bash
+    ```
     USER root
     RUN apt install netbase -y
-    ```
+    ```  
 For more information, see [JNR regression in Logstash 7.17.0 (Docker)](https://github.com/elastic/logstash/issues/13703).  

data/VERSION

@@ -1 +1 @@
-2.2.0
+2.3.0

data/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb

@@ -1,7 +1,14 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
 # encoding: utf-8
-
-# NOTE: Java plugin (no Ruby plugin class). This file exists only to ensure
-# jar-dependencies loads the packaged jar into JRuby's classpath.
-require "logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin_jars"
+require "logstash/outputs/base"
+require "logstash/namespace"
+require "microsoft-sentinel-log-analytics-logstash-output-plugin_jars"
 require "java"
+
+class LogStash::Outputs::MicrosoftSentinelLogAnalyticsLogstashOutputPlugin < LogStash::Outputs::Base
+  config_name "microsoft-sentinel-log-analytics-logstash-output-plugin"
+
+  def self.javaClass
+    Java::org.logstashplugins.MicrosoftSentinelLogAnalyticsLogstashOutputPlugin.java_class
+  end
+end

data/lib/logstash_registry.rb

@@ -1,4 +1,18 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
 # encoding: utf-8
-require "logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin_jars"
-require "java"
+require "logstash/plugins/registry"
+
+# Workaround for elastic/logstash registry.rb#is_a_plugin? not handling
+# Java plugin classes whose name uses dashes. Strip both '-' and '_'.
+LogStash::Plugins::Registry.class_eval do
+  define_method(:is_a_plugin?) do |klass, name|
+    if klass.class == Java::JavaLang::Class
+      klass.simple_name.downcase == name.gsub(/[-_]/, '')
+    else
+      klass.ancestors.include?(LogStash::Plugin) && klass.respond_to?(:config_name) && klass.config_name == name
+    end
+  end
+end
+
+require "logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin"
+LogStash::PLUGIN_REGISTRY.add(:output, "microsoft-sentinel-log-analytics-logstash-output-plugin", LogStash::Outputs::MicrosoftSentinelLogAnalyticsLogstashOutputPlugin)

data/lib/microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb

@@ -0,0 +1,5 @@
+# AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
+# encoding: utf-8
+
+require 'jar_dependencies'
+require_jar('org.logstashplugins', 'microsoft-sentinel-log-analytics-logstash-output-plugin', '2.3.0')

data/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec

@@ -1,7 +1,7 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
 Gem::Specification.new do |s|
   s.name            = 'microsoft-sentinel-log-analytics-logstash-output-plugin'
-  s.version         = '2.2.0'
+  s.version         = '2.3.0'
   s.licenses        = ['Apache-2.0']
   s.summary         = 'Microsoft Sentinel Log Analytics output plugin'
   s.description     = 'Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: microsoft-sentinel-log-analytics-logstash-output-plugin
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: java
 authors:
 - Microsoft
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-04 00:00:00.000000000 Z
+date: 2026-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -67,14 +67,15 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
 - Gemfile
 - README.md
 - VERSION
-- lib/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb
 - lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb
 - lib/logstash_registry.rb
+- lib/microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb
 - logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec
-- vendor/jar-dependencies/org/logstashplugins/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin/2.2.0/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin-2.2.0.jar
+- vendor/jar-dependencies/org/logstashplugins/microsoft-sentinel-log-analytics-logstash-output-plugin/2.3.0/microsoft-sentinel-log-analytics-logstash-output-plugin-2.3.0.jar
 homepage:
 licenses:
 - Apache-2.0

data/lib/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb

@@ -1,5 +0,0 @@
-# AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
-# encoding: utf-8
-
-require 'jar_dependencies'
-require_jar('org.logstashplugins', 'logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin', '2.2.0')