microsoft-sentinel-log-analytics-logstash-output-plugin 2.2.1-java → 2.3.0-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -1
- data/README.md +6 -19
- data/VERSION +1 -1
- data/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb +11 -4
- data/lib/logstash_registry.rb +16 -2
- data/lib/microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb +5 -0
- data/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec +1 -1
- data/vendor/jar-dependencies/org/logstashplugins/{logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin/2.2.1/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin-2.2.1.jar → microsoft-sentinel-log-analytics-logstash-output-plugin/2.3.0/microsoft-sentinel-log-analytics-logstash-output-plugin-2.3.0.jar} +0 -0
- metadata +4 -4
- data/lib/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb +0 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 627bb4ae14cbb73ebfadd92ba9342f81fddba5f96a6537fd416da8ce6b19b322
|
|
4
|
+
data.tar.gz: 4b3c7f257296155d58cb48cffa520e992cfecb7028434c0ecef77823d99473df
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 380a333181a76006354d4c65899779d4f839eb7adc34aa188441f8dae073ab868cfc6fe559172066a514ad56c20cb41395e2bcfd24b0f61dc56556ae0692b66c
|
|
7
|
+
data.tar.gz: bd1566a0eba6ba8713bf415d329e1f0a09f494a3ec0301509b94a13ba49e50127956397805ee061f0a720b1173bbc091f894fe6b33ab3f84aafb62f4ec764026
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 2.3.0
|
|
2
|
+
- Added optional Id configuration value for telemetry.
|
|
3
|
+
- Added DCR stream to sent-batches logging.
|
|
4
|
+
- Enabled functionality with logstash 9.4.
|
|
5
|
+
- Bumped dependency versions for external libraries (azure-sdk-bom, logback, slf4j, Netty).
|
|
6
|
+
|
|
1
7
|
## 2.2.1
|
|
2
8
|
- Adds info-level logging line when batches are successfully sent.
|
|
3
9
|
|
|
@@ -5,7 +11,7 @@
|
|
|
5
11
|
- Adds ability to use either new or old configuration values.
|
|
6
12
|
|
|
7
13
|
## 2.1.2
|
|
8
|
-
- Documentation updates
|
|
14
|
+
- Documentation updates.
|
|
9
15
|
|
|
10
16
|
## 2.1.1
|
|
11
17
|
- Improved efficiency.
|
data/README.md
CHANGED
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.
|
|
4
4
|
You may send logs to custom or standard tables.
|
|
5
5
|
|
|
6
|
-
Plugin version: v2.
|
|
7
|
-
Released on: 2026-
|
|
6
|
+
Plugin version: v2.3.0
|
|
7
|
+
Released on: 2026-06-17
|
|
8
8
|
|
|
9
9
|
This plugin is currently in development and is free to use. We request and appreciate feedback from users.
|
|
10
10
|
|
|
@@ -19,7 +19,7 @@ This plugin is currently in development and is free to use. We request and appre
|
|
|
19
19
|
|
|
20
20
|
Microsoft Sentinel provides Logstash output plugin to Log analytics workspace using DCR based logs API.
|
|
21
21
|
|
|
22
|
-
The plugin is published on [RubyGems](https://rubygems.org/gems/microsoft-sentinel-log-analytics-logstash-output-plugin). To install to an existing logstash installation, run `logstash-plugin install microsoft-sentinel-log-analytics-logstash-output-plugin`.
|
|
22
|
+
The plugin is published on [RubyGems](https://rubygems.org/gems/microsoft-sentinel-log-analytics-logstash-output-plugin/versions/2.2.2-java). To install to an existing logstash installation, run `logstash-plugin install microsoft-sentinel-log-analytics-logstash-output-plugin`.
|
|
23
23
|
|
|
24
24
|
If you do not have a direct internet connection, you can install the plugin to another logstash installation, and then export and import a plugin bundle to the offline host. For more information, see [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).
|
|
25
25
|
|
|
@@ -95,15 +95,13 @@ To configure Microsoft Sentinel Logstash plugin you first need to create the DCR
|
|
|
95
95
|
|
|
96
96
|
*Note:* The identity (service principal or managed identity) must have the **Monitoring Metrics Publisher** role on the target DCR:
|
|
97
97
|
|
|
98
|
-
```
|
|
99
98
|
az role assignment create \
|
|
100
99
|
--assignee <object-id-of-identity> \
|
|
101
100
|
--role "Monitoring Metrics Publisher" \
|
|
102
101
|
--scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Insights/dataCollectionRules/<dcr-name>"
|
|
103
|
-
```
|
|
104
102
|
|
|
105
103
|
|
|
106
|
-
## 4. Configure
|
|
104
|
+
## 4. Configure Logstash configuration file
|
|
107
105
|
|
|
108
106
|
Add the `microsoft-sentinel-log-analytics-logstash-output-plugin` block to the `output` section of your Logstash configuration file (e.g., `logstash.conf`). The plugin requires three values from your Azure DCR resources plus authentication credentials depending on your method.
|
|
109
107
|
|
|
@@ -125,7 +123,6 @@ The plugin auto-detects the auth method based on which config values are present
|
|
|
125
123
|
|
|
126
124
|
Provide `client_id`, `client_secret`, and `tenant_id` for your Azure App Registration / service principal.
|
|
127
125
|
|
|
128
|
-
```
|
|
129
126
|
output {
|
|
130
127
|
microsoft-sentinel-log-analytics-logstash-output-plugin {
|
|
131
128
|
data_collection_endpoint => "https://<your-dce-name>.<region>.ingest.monitor.azure.com"
|
|
@@ -136,14 +133,12 @@ Provide `client_id`, `client_secret`, and `tenant_id` for your Azure App Registr
|
|
|
136
133
|
tenant_id => "<your-azure-tenant-id>"
|
|
137
134
|
}
|
|
138
135
|
}
|
|
139
|
-
```
|
|
140
136
|
|
|
141
137
|
|
|
142
138
|
#### Option 2: Managed Identity
|
|
143
139
|
|
|
144
140
|
When running on an Azure VM with a system-assigned managed identity, omit `client_id`, `client_secret`, and `tenant_id`. The plugin will automatically use the VM's managed identity.
|
|
145
141
|
|
|
146
|
-
```
|
|
147
142
|
output {
|
|
148
143
|
microsoft-sentinel-log-analytics-logstash-output-plugin {
|
|
149
144
|
data_collection_endpoint => "https://<your-dce-name>.<region>.ingest.monitor.azure.com"
|
|
@@ -151,13 +146,11 @@ When running on an Azure VM with a system-assigned managed identity, omit `clien
|
|
|
151
146
|
stream_name => "Custom-MyTableRawData_CL"
|
|
152
147
|
}
|
|
153
148
|
}
|
|
154
|
-
```
|
|
155
149
|
|
|
156
150
|
#### Option 3: Client Secret + Sovereign Cloud
|
|
157
151
|
|
|
158
152
|
To authenticate against a sovereign cloud, add `azure_cloud`. Supported values: `AzurePublicCloud` (default), `AzureUSGovernment`, `AzureChinaCloud`, `AzureGermanyCloud`.
|
|
159
153
|
|
|
160
|
-
```
|
|
161
154
|
output {
|
|
162
155
|
microsoft-sentinel-log-analytics-logstash-output-plugin {
|
|
163
156
|
data_collection_endpoint => "https://<your-dce-ingestion-endpoint>"
|
|
@@ -169,11 +162,9 @@ To authenticate against a sovereign cloud, add `azure_cloud`. Supported values:
|
|
|
169
162
|
azure_cloud => "AzureUSGovernment"
|
|
170
163
|
}
|
|
171
164
|
}
|
|
172
|
-
```
|
|
173
165
|
|
|
174
166
|
#### Option 4: Managed Identity + Sovereign Cloud
|
|
175
167
|
|
|
176
|
-
```
|
|
177
168
|
output {
|
|
178
169
|
microsoft-sentinel-log-analytics-logstash-output-plugin {
|
|
179
170
|
data_collection_endpoint => "https://<your-dce-ingestion-endpoint>"
|
|
@@ -182,7 +173,6 @@ To authenticate against a sovereign cloud, add `azure_cloud`. Supported values:
|
|
|
182
173
|
azure_cloud => "AzureUSGovernment"
|
|
183
174
|
}
|
|
184
175
|
}
|
|
185
|
-
```
|
|
186
176
|
---
|
|
187
177
|
Security notice: We recommend not to implicitly state client_id, client_secret, tenant_id, data_collection_endpoint, and dcr_id in your Logstash configuration for security reasons.
|
|
188
178
|
It is best to store this sensitive information in a Logstash KeyStore as described here- ['Secrets Keystore'](<https://www.elastic.co/guide/en/logstash/current/keystore.html>)
|
|
@@ -193,7 +183,6 @@ Security notice: We recommend not to implicitly state client_id, client_secret,
|
|
|
193
183
|
|
|
194
184
|
A complete `logstash.conf` using client secret auth with a Beats input:
|
|
195
185
|
|
|
196
|
-
```
|
|
197
186
|
input {
|
|
198
187
|
beats {
|
|
199
188
|
port => 5044
|
|
@@ -213,7 +202,6 @@ A complete `logstash.conf` using client secret auth with a Beats input:
|
|
|
213
202
|
tenant_id => "72f988bf-86f1-41af-91ab-xxxxxxxxxxxx"
|
|
214
203
|
}
|
|
215
204
|
}
|
|
216
|
-
```
|
|
217
205
|
---
|
|
218
206
|
|
|
219
207
|
## Optional Config Values
|
|
@@ -234,18 +222,17 @@ A complete `logstash.conf` using client secret auth with a Beats input:
|
|
|
234
222
|
| `batcher_workers_count` | *(auto)* | Number of batcher threads |
|
|
235
223
|
| `sender_workers_count` | *(auto)* | Number of sender threads |
|
|
236
224
|
| `unifier_workers_count` | *(auto)* | Number of unifier threads |
|
|
225
|
+
| `id` | `None` | A custom identification tag to be added to sent-batches logs |
|
|
237
226
|
|
|
238
227
|
## Known issues
|
|
239
228
|
|
|
240
229
|
When using Logstash installed on a Docker image of Lite Ubuntu, the following warning may appear:
|
|
241
230
|
|
|
242
|
-
```
|
|
243
231
|
java.lang.RuntimeException: getprotobyname_r failed
|
|
244
|
-
```
|
|
245
232
|
|
|
246
233
|
To resolve it, use the following commands to install the *netbase* package within your Dockerfile:
|
|
247
234
|
```
|
|
248
235
|
USER root
|
|
249
236
|
RUN apt install netbase -y
|
|
250
|
-
```
|
|
237
|
+
```
|
|
251
238
|
For more information, see [JNR regression in Logstash 7.17.0 (Docker)](https://github.com/elastic/logstash/issues/13703).
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.
|
|
1
|
+
2.3.0
|
|
@@ -1,7 +1,14 @@
|
|
|
1
1
|
# AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
|
|
2
2
|
# encoding: utf-8
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
require "logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin_jars"
|
|
3
|
+
require "logstash/outputs/base"
|
|
4
|
+
require "logstash/namespace"
|
|
5
|
+
require "microsoft-sentinel-log-analytics-logstash-output-plugin_jars"
|
|
7
6
|
require "java"
|
|
7
|
+
|
|
8
|
+
class LogStash::Outputs::MicrosoftSentinelLogAnalyticsLogstashOutputPlugin < LogStash::Outputs::Base
|
|
9
|
+
config_name "microsoft-sentinel-log-analytics-logstash-output-plugin"
|
|
10
|
+
|
|
11
|
+
def self.javaClass
|
|
12
|
+
Java::org.logstashplugins.MicrosoftSentinelLogAnalyticsLogstashOutputPlugin.java_class
|
|
13
|
+
end
|
|
14
|
+
end
|
data/lib/logstash_registry.rb
CHANGED
|
@@ -1,4 +1,18 @@
|
|
|
1
1
|
# AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
|
|
2
2
|
# encoding: utf-8
|
|
3
|
-
require "logstash
|
|
4
|
-
|
|
3
|
+
require "logstash/plugins/registry"
|
|
4
|
+
|
|
5
|
+
# Workaround for elastic/logstash registry.rb#is_a_plugin? not handling
|
|
6
|
+
# Java plugin classes whose name uses dashes. Strip both '-' and '_'.
|
|
7
|
+
LogStash::Plugins::Registry.class_eval do
|
|
8
|
+
define_method(:is_a_plugin?) do |klass, name|
|
|
9
|
+
if klass.class == Java::JavaLang::Class
|
|
10
|
+
klass.simple_name.downcase == name.gsub(/[-_]/, '')
|
|
11
|
+
else
|
|
12
|
+
klass.ancestors.include?(LogStash::Plugin) && klass.respond_to?(:config_name) && klass.config_name == name
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
require "logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin"
|
|
18
|
+
LogStash::PLUGIN_REGISTRY.add(:output, "microsoft-sentinel-log-analytics-logstash-output-plugin", LogStash::Outputs::MicrosoftSentinelLogAnalyticsLogstashOutputPlugin)
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# AUTOGENERATED BY THE GRADLE SCRIPT. EDITS WILL BE OVERWRITTEN.
|
|
2
2
|
Gem::Specification.new do |s|
|
|
3
3
|
s.name = 'microsoft-sentinel-log-analytics-logstash-output-plugin'
|
|
4
|
-
s.version = '2.
|
|
4
|
+
s.version = '2.3.0'
|
|
5
5
|
s.licenses = ['Apache-2.0']
|
|
6
6
|
s.summary = 'Microsoft Sentinel Log Analytics output plugin'
|
|
7
7
|
s.description = 'Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: microsoft-sentinel-log-analytics-logstash-output-plugin
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.3.0
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Microsoft
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-
|
|
11
|
+
date: 2026-06-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -71,11 +71,11 @@ files:
|
|
|
71
71
|
- Gemfile
|
|
72
72
|
- README.md
|
|
73
73
|
- VERSION
|
|
74
|
-
- lib/logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb
|
|
75
74
|
- lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb
|
|
76
75
|
- lib/logstash_registry.rb
|
|
76
|
+
- lib/microsoft-sentinel-log-analytics-logstash-output-plugin_jars.rb
|
|
77
77
|
- logstash-output-microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec
|
|
78
|
-
- vendor/jar-dependencies/org/logstashplugins/
|
|
78
|
+
- vendor/jar-dependencies/org/logstashplugins/microsoft-sentinel-log-analytics-logstash-output-plugin/2.3.0/microsoft-sentinel-log-analytics-logstash-output-plugin-2.3.0.jar
|
|
79
79
|
homepage:
|
|
80
80
|
licenses:
|
|
81
81
|
- Apache-2.0
|