microsoft-sentinel-logstash-output-plugin 1.0.1

data/lib/logstash/sentinel/eventsHandler.rb

@@ -0,0 +1,58 @@
+# encoding: utf-8
+require "logstash/sentinel/logstashLoganalyticsConfiguration"
+
+module LogStash
+  module Outputs
+    class MicrosoftSentinelOutputInternal
+      class EventsHandler
+
+        def initialize(logstashLogAnalyticsConfiguration)
+          @logstashLogAnalyticsConfiguration = logstashLogAnalyticsConfiguration
+          @logger = logstashLogAnalyticsConfiguration.logger
+          @key_names = logstashLogAnalyticsConfiguration.key_names
+          @columns_to_modify = {"@timestamp" => "ls_timestamp", "@version" => "ls_version"}
+        end
+
+        def handle_events(events)
+          raise "Method handle_events not implemented"
+        end
+
+        def close
+          raise "Method close not implemented"
+        end
+
+        # In case that the user has defined key_names meaning that he would like to a subset of the data,
+        # we would like to insert only those keys.
+        # If no keys were defined we will send all the data
+        def create_event_document(event)
+          document = {}
+          event_hash = event.to_hash
+
+          @columns_to_modify.each {|original_key, new_key|
+            if event_hash.has_key?(original_key)
+              event_hash[new_key] = event_hash[original_key]
+              event_hash.delete(original_key)
+            end
+          }
+
+          if @key_names.length > 0
+            # Get the intersection of key_names and keys of event_hash
+            keys_intersection = @key_names & event_hash.keys
+            keys_intersection.each do |key|
+              document[key] = event_hash[key]
+            end
+            if document.keys.length < 1
+              @logger.warn("No keys found, message is dropped. Plugin keys: #{@key_names}, Event keys: #{event_hash}. The event message do not match event expected structre. Please edit key_names section in output plugin and try again.")
+            end
+          else
+            document = event_hash
+          end
+
+          return document
+        end
+        # def create_event_document
+
+      end
+    end
+  end
+end

data/lib/logstash/sentinel/logAnalyticsAadTokenProvider.rb

@@ -0,0 +1,93 @@
+# encoding: utf-8
+require "logstash/sentinel/logstashLoganalyticsConfiguration"
+require 'rest-client'
+require 'json'
+require 'openssl'
+require 'base64'
+require 'time'
+
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
+class LogAnalyticsAadTokenProvider
+  def initialize (logstashLoganalyticsConfiguration)
+    set_proxy(logstashLoganalyticsConfiguration.proxy)
+    scope = CGI.escape("https://monitor.azure.com//.default")
+    @token_request_body = sprintf("client_id=%s&scope=%s&client_secret=%s&grant_type=client_credentials", logstashLoganalyticsConfiguration.client_app_Id, scope, logstashLoganalyticsConfiguration.client_app_secret)
+    @token_request_uri = sprintf("https://login.microsoftonline.com/%s/oauth2/v2.0/token", logstashLoganalyticsConfiguration.tenant_id)
+    @token_state = {
+      :access_token => nil,
+      :expiry_time => nil,
+      :token_details_mutex => Mutex.new,
+    }
+    @logger = logstashLoganalyticsConfiguration.logger
+  end # def initialize
+
+  # Public methods
+  public
+
+  def get_aad_token_bearer()
+    @token_state[:token_details_mutex].synchronize do
+      if is_saved_token_need_refresh()
+        refresh_saved_token()
+      end
+      return @token_state[:access_token]
+    end
+  end # def get_aad_token_bearer
+
+  # Private  methods
+  private
+  
+  def is_saved_token_need_refresh()
+    return @token_state[:access_token].nil? || @token_state[:expiry_time].nil? || @token_state[:expiry_time] <= Time.now
+  end # def is_saved_token_need_refresh
+
+  def refresh_saved_token()
+    @logger.info("aad token expired - refreshing token.")
+
+    token_response = post_token_request()
+    @token_state[:access_token] = token_response["access_token"]
+    @token_state[:expiry_time] = get_token_expiry_time(token_response["expires_in"])
+  end # def refresh_saved_token
+
+  def get_token_expiry_time (expires_in_seconds)
+    if (expires_in_seconds.nil? || expires_in_seconds <= 0)
+      return Time.now + (60 * 60 * 24) # Refresh anyway in 24 hours
+    else
+      return Time.now + expires_in_seconds - 1; # Decrease by 1 second to be on the safe side
+    end
+  end # def get_token_expiry_time
+
+  # Post the given json to Azure Loganalytics
+  def post_token_request()
+    # Create REST request header
+    header = get_header()
+    begin
+        # Post REST request 
+        response = RestClient.post(@token_request_uri, @token_request_body, header)        
+        if (response.code == 200 || response.code == 201)
+          return JSON.parse(response.body)
+        else
+          @logger.trace("Rest client response from ADD API ['#{response}']")
+          raise ("Failed to get AAD token: http code " + response.code.to_s)
+        end
+    rescue RestClient::ExceptionWithResponse => ewr
+        @logger.trace("Rest client response from ADD API ['#{ewr.response}']")
+        raise ("Failed to get AAD token: http code " + ewr.response.code.to_s)
+    end
+  end # def post_token_request
+
+  # Create a header
+  def get_header()
+    return {
+      'Content-Type' => 'application/x-www-form-urlencoded',
+    }
+  end # def get_header
+
+  # Setting proxy for the REST client.
+  # This option is not used in the output plugin and will be used 
+  #  
+  def set_proxy(proxy='')
+    RestClient.proxy = proxy.empty? ? ENV['http_proxy'] : proxy
+  end # def set_proxy
+
+end # end of class
+end ;end ;end 

data/lib/logstash/sentinel/logAnalyticsClient.rb

@@ -0,0 +1,90 @@
+# encoding: utf-8
+require "logstash/sentinel/version"
+require 'rest-client'
+require 'json'
+require 'openssl'
+require 'base64'
+require 'time'
+require 'rbconfig'
+
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal 
+class LogAnalyticsClient
+require "logstash/sentinel/logstashLoganalyticsConfiguration"
+require "logstash/sentinel/logAnalyticsAadTokenProvider"
+
+
+  def initialize (logstashLoganalyticsConfiguration)
+    @logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
+    @logger = @logstashLoganalyticsConfiguration.logger
+
+    set_proxy(@logstashLoganalyticsConfiguration.proxy)
+    la_api_version = "2021-11-01-preview"
+    @uri = sprintf("%s/dataCollectionRules/%s/streams/%s?api-version=%s",@logstashLoganalyticsConfiguration.data_collection_endpoint, @logstashLoganalyticsConfiguration.dcr_immutable_id, logstashLoganalyticsConfiguration.dcr_stream_name, la_api_version)
+    @aadTokenProvider=LogAnalyticsAadTokenProvider::new(logstashLoganalyticsConfiguration)
+    @userAgent = getUserAgent()
+  end # def initialize
+
+  # Post the given json to Azure Loganalytics
+  def post_data(body)
+    raise ConfigError, 'no json_records' if body.empty?
+
+    # Create REST request header
+    header = get_header()
+
+    # Post REST request
+    response = RestClient.post(@uri, body, header)
+    return response
+  end # def post_data
+
+  # Static function to return if the response is OK or else
+  def self.is_successfully_posted(response)
+    return (response.code >= 200 && response.code < 300 ) ? true : false
+  end # def self.is_successfully_posted
+
+  private 
+
+  # Create a header for the given length 
+  def get_header()
+    # Getting an authorization token bearer (if the token is expired, the method will post a request to get a new authorization token)
+    token_bearer = @aadTokenProvider.get_aad_token_bearer()
+
+    headers = {
+          'Content-Type' => 'application/json',
+          'Authorization' => sprintf("Bearer %s", token_bearer),
+          'User-Agent' => @userAgent
+    }
+
+    if @logstashLoganalyticsConfiguration.compress_data
+        headers = headers.merge({
+          'Content-Encoding' => 'gzip'
+        })
+    end
+
+    return headers
+  end # def get_header
+
+  # Setting proxy for the REST client.
+  # This option is not used in the output plugin and will be used 
+  def set_proxy(proxy='')
+    RestClient.proxy = proxy.empty? ? ENV['http_proxy'] : proxy
+  end # def set_proxy
+  
+  def ruby_agent_version()
+    case RUBY_ENGINE
+        when 'jruby'
+            "jruby/#{JRUBY_VERSION} (#{RUBY_VERSION}p#{RUBY_PATCHLEVEL})"
+        else
+            "#{RUBY_ENGINE}/#{RUBY_VERSION}p#{RUBY_PATCHLEVEL}"
+    end
+  end
+
+  def architecture()
+    "#{RbConfig::CONFIG['host_os']} #{RbConfig::CONFIG['host_cpu']}"
+  end
+
+  def getUserAgent()
+    "SentinelLogstashPlugin|#{LogStash::Outputs::MicrosoftSentinelOutputInternal::VERSION}|#{architecture}|#{ruby_agent_version}"
+  end #getUserAgent
+
+end # end of class
+end ;end ;end 

data/lib/logstash/sentinel/logStashAutoResizeBuffer.rb

@@ -0,0 +1,157 @@
+# encoding: utf-8
+
+require "logstash/sentinel/logstashLoganalyticsConfiguration"
+require "logstash/sentinel/customSizeBasedBuffer"
+require "logstash/sentinel/logStashEventsBatcher"
+
+# LogStashAutoResizeBuffer class setting a resizable buffer which is flushed periodically
+# The buffer resize itself according to Azure Loganalytics  and configuration limitations
+# This buffer will increase and decrease size according to the amount of messages inserted.
+# If the buffer reached the max amount of messages the amount will be increased until the limit
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
+class LogStashAutoResizeBuffer < LogStashEventsBatcher
+    include CustomSizeBasedBuffer
+
+    def initialize(logstashLoganalyticsConfiguration)
+        buffer_initialize(
+          :max_items => logstashLoganalyticsConfiguration.max_items,
+          :max_interval => logstashLoganalyticsConfiguration.plugin_flush_interval,
+          :logger => logstashLoganalyticsConfiguration.logger,
+          #todo: There is a small discrepancy between the total size of the documents and the message body 
+          :flush_each => logstashLoganalyticsConfiguration.MAX_SIZE_BYTES - 2000
+        )
+        super
+    end # initialize
+
+    # Public methods
+    public
+
+    # Adding an event document into the buffer
+    def batch_event(event_document)        
+        buffer_receive(event_document)
+    end # def batch_event
+
+    # Flushing all buffer content to Azure Loganalytics.
+    # Called from Stud::Buffer#buffer_flush when there are events to flush
+    def flush (documents, close=false)
+        # Skip in case there are no candidate documents to deliver
+        if documents.length < 1
+            @logger.warn("No documents in batch for log type #{@logstashLoganalyticsConfiguration.dcr_stream_name}. Skipping")
+            return
+        end
+
+        # We send Json in the REST request 
+        documents_json = documents.to_json
+        documents_byte_size = documents_json.bytesize
+        if (documents_byte_size <= @logstashLoganalyticsConfiguration.MAX_SIZE_BYTES)
+        # Setting resizing to true will cause changing the max size
+            if @logstashLoganalyticsConfiguration.amount_resizing == true
+                # Resizing the amount of messages according to size of message received and amount of messages
+                    change_message_limit_size(documents.length, documents_byte_size)
+            end
+            send_message_to_loganalytics(documents_json, documents.length)
+        else
+            warn_documents_size_over_limitation(documents, documents_byte_size)
+            split_documents_lists = split_document_list_to_sublists_by_max_size(documents, documents_byte_size)
+            @logger.trace("Number of documents: #{documents.length}, Number of split lists to send separately: #{split_documents_lists.length}");
+            send_split_documents_list_to_loganalytics(split_documents_lists)
+        end
+    end # def flush
+
+    def close
+        buffer_flush(:final => true)
+    end
+
+    # Private methods 
+    private 
+
+    def warn_documents_size_over_limitation(documents, documents_byte_size)
+        average_document_size = documents_byte_size / documents.length
+        recommended_max_items = (@buffer_config[:flush_each] / average_document_size).floor
+        
+        if @logstashLoganalyticsConfiguration.amount_resizing == true
+            change_buffer_size(recommended_max_items)
+        else 
+            @logger.info("Warning: The size of the batch to post (#{documents_byte_size} bytes) is higher than the maximum allowed to post (#{@logstashLoganalyticsConfiguration.MAX_SIZE_BYTES}).")
+        end
+
+    end
+    # This will convert our documents list into a list of sublists. Each sublist size will be lower than the max allowed size, and will be posted separately, in order to avoid the endpoint failing the request due to size limitation..
+    def split_document_list_to_sublists_by_max_size(all_documents, documents_byte_size)
+        number_of_sublists = (documents_byte_size.to_f / @logstashLoganalyticsConfiguration.MAX_SIZE_BYTES.to_f).ceil # If max size is 1MB and actual size is 2.5MB - this will return 3.
+        split_documents_lists = all_documents.each_slice((all_documents.size/number_of_sublists.to_f).round).to_a
+        final_documents_lists = Array.new
+
+        for documents_sublist in split_documents_lists do
+            documents_sublist_byte_size = documents_sublist.to_json.bytesize
+
+            if (documents_sublist_byte_size >= @logstashLoganalyticsConfiguration.MAX_SIZE_BYTES)
+                if (documents_sublist.length > 1)
+                    final_documents_lists.concat(split_document_list_to_sublists_by_max_size(documents_sublist, documents_sublist_byte_size))
+                else
+                    @logger.error("Received document above the max allowed size - dropping the document [document size: #{current_document_size}, max allowed size: #{@logstashLoganalyticsConfiguration.MAX_SIZE_BYTES}")
+                end
+            else
+                final_documents_lists.push(documents_sublist)
+            end
+        end
+
+        return final_documents_lists
+    end
+
+    def send_split_documents_list_to_loganalytics(split_documents_lists)
+        for documents in split_documents_lists do
+            send_message_to_loganalytics(documents.to_json, documents.length)
+        end
+    end
+   
+    # We would like to change the amount of messages in the buffer (change_max_size)
+    # We change the amount according to the Azure Loganalytics limitation and the amount of messages inserted to the buffer
+    # in one sending window.
+    # Meaning that if we reached the max amount we would like to increase it.
+    # Else we would like to decrease it(to reduce latency for messages)
+    def change_message_limit_size(amount_of_documents, documents_byte_size)
+        current_buffer_size = @buffer_config[:max_items]
+        new_buffer_size = current_buffer_size 
+        average_document_size = documents_byte_size / amount_of_documents
+
+        # If window is full we need to increase it 
+        # "amount_of_documents" can be greater since buffer is not synchronized meaning 
+        # that flush can occur after limit was reached.
+        if  amount_of_documents >= current_buffer_size
+            # if doubling the size wouldn't exceed the API limit
+            if ((2 * current_buffer_size) * average_document_size) < @buffer_config[:flush_each]
+                new_buffer_size = 2 * current_buffer_size
+            # If doubling the size will exceed the API limit, change it to be as close as possible to the API limit (minus 4kb just to be safe) - but don't cause it to decrease
+            else
+                average_documents_in_4kb = (average_document_size / 4000).ceil
+                potential_new_buffer_size = (@buffer_config[:flush_each] / average_document_size) -average_documents_in_4kb
+                if potential_new_buffer_size > new_buffer_size
+                    new_buffer_size = potential_new_buffer_size
+                end
+            end
+
+        # We would like to decrease the window but not more then the MIN_MESSAGE_AMOUNT
+        # We are trying to decrease it slowly to be able to send as much messages as we can in one window 
+        elsif amount_of_documents < current_buffer_size and  current_buffer_size != [(current_buffer_size - @logstashLoganalyticsConfiguration.decrease_factor) ,@logstashLoganalyticsConfiguration.MIN_MESSAGE_AMOUNT].max
+            new_buffer_size = [(current_buffer_size - @logstashLoganalyticsConfiguration.decrease_factor) ,@logstashLoganalyticsConfiguration.MIN_MESSAGE_AMOUNT].max
+        end
+
+        change_buffer_size(new_buffer_size)
+    end # def change_message_limit_size
+
+    # Receiving new_size as the new max buffer size.
+    # Changing both the buffer, the configuration and logging as necessary
+    def change_buffer_size(new_size)
+        # Change buffer size only if it's needed(new size)
+        if @buffer_config[:max_items] != new_size
+            old_buffer_size = @buffer_config[:max_items]
+            @buffer_config[:max_items] = new_size
+            @logger.trace("Changing buffer size.[configuration='#{old_buffer_size}' , new_size='#{new_size}']")
+        else
+            @logger.trace("Buffer size wasn't changed.[configuration='#{old_buffer_size}' , new_size='#{new_size}']")
+        end
+    end # def change_buffer_size
+
+end # LogStashAutoResizeBuffer
+end ;end ;end 

data/lib/logstash/sentinel/logStashCompressedStream.rb

@@ -0,0 +1,144 @@
+# encoding: utf-8
+
+require "logstash/sentinel/logstashLoganalyticsConfiguration"
+require "logstash/sentinel/customSizeBasedBuffer"
+require "logstash/sentinel/logStashEventsBatcher"
+require 'zlib'
+
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
+    class LogStashCompressedStream < LogStashEventsBatcher
+        include CustomSizeBasedBuffer
+        #This is a basic memory based buffer with size and time bounds
+        #Events are compressed when entering the buffer.
+        def initialize(logstashLoganalyticsConfiguration)
+            @compression_buffer = StringIO.new
+            @deflater = Zlib::Deflate.new
+            
+            @compression_stream_state = {
+                :events_in_compression_buffer => 0,
+                :original_events_size => 0,
+                :last_flush => Time.now.to_i,
+                # guarding the flush
+                :flush_mutex => Mutex.new,
+                # guarding the stream
+                :insert_mutex => Mutex.new               
+            }
+
+            buffer_initialize(
+                :max_items => logstashLoganalyticsConfiguration.max_items,
+                :max_interval => logstashLoganalyticsConfiguration.plugin_flush_interval,
+                :logger => logstashLoganalyticsConfiguration.logger,
+                :flush_each => logstashLoganalyticsConfiguration.MAX_SIZE_BYTES - 1000
+              )
+            super
+        end # initialize
+  
+        public
+        # Adding an event document into the buffer
+        def batch_event(event_document)        
+            buffer_receive(event_document)
+        end # def batch_event
+
+        def flush (documents, close=false)
+            @compression_stream_state[:insert_mutex].synchronize do
+                documents.each do |document|
+                    add_event_to_compression_buffer(document)
+                end
+            end
+        end
+
+        def close
+            buffer_flush(:final => true)
+            flush_compression_buffer(:final => true)
+        end
+
+        protected        
+        def get_time_since_last_flush
+          Time.now.to_i - @compression_stream_state[:last_flush]
+        end
+
+        # This override is to pickup on forced flushes, for example when timer is firing
+        def buffer_flush(options={})
+            super
+            if options[:force]
+                @compression_stream_state[:insert_mutex].synchronize do
+                    flush_compression_buffer(:force => true)
+                end
+            end
+        end
+
+        # Adding an event document into the compressed stream
+        private
+        def add_event_to_compression_buffer(event_document)
+            event_json = event_document.to_json
+               
+            # Ensure that adding the current event to the stream will not exceed the maximum size allowed. 
+            # If so, first flush and clear the current stream and then add the current record to the new stream instance.
+            if event_json.bytesize + @deflater.total_out > @buffer_config[:flush_each]
+                flush_compression_buffer
+            end
+
+            buffer_empty? ? write_string_to_compression_buffer("[") :
+                            write_string_to_compression_buffer(",")
+            
+            write_string_to_compression_buffer(event_json)
+            @compression_stream_state[:events_in_compression_buffer] += 1
+            @compression_stream_state[:original_events_size] += event_json.bytesize        
+        end
+        
+        def write_string_to_compression_buffer(string_to_compress)
+            @compression_buffer << @deflater.deflate(string_to_compress, Zlib::SYNC_FLUSH)
+        end
+
+        def buffer_empty?
+            @compression_stream_state[:events_in_compression_buffer] == 0
+        end
+
+        def flush_compression_buffer(options={})
+            # logstash service is shutting down, flush all pending logs
+            final = options[:final] 
+            # Force is passed when the timer fires - ensure the stream will flush every x seconds
+            force = options[:force]
+
+            # there might be more than one thread trying to flush concurrently 
+            if final
+                # final flush will wait for lock, so we are sure to flush out all buffered events
+                @compression_stream_state[:flush_mutex].lock
+            elsif ! @compression_stream_state[:flush_mutex].try_lock # failed to get lock, another flush already in progress
+                return 
+            end
+            
+            begin
+                time_since_last_flush = get_time_since_last_flush
+
+                if buffer_empty? || 
+                    (get_time_since_last_flush < @buffer_config[:max_interval] && force && (!final))
+                    @logger.trace("flushing aborted. buffer_empty? #{buffer_empty?} time_since_last_flush #{time_since_last_flush} force #{force} final #{final}")
+                    return
+                end
+
+                write_string_to_compression_buffer("]")
+                @compression_buffer.flush
+                outgoing_data = @compression_buffer.string
+                
+                number_outgoing_events = @compression_stream_state[:events_in_compression_buffer]
+                @logger.trace("about to send [#{@compression_stream_state[:events_in_compression_buffer]}] events. Compressed data byte size [#{outgoing_data.bytesize}] Original data byte size [#{@compression_stream_state[:original_events_size]}].")
+
+                reset_compression_stream
+                
+                send_message_to_loganalytics(outgoing_data, number_outgoing_events)
+            ensure
+                @compression_stream_state[:flush_mutex].unlock
+            end
+        end
+
+        def reset_compression_stream                            
+            @deflater.reset
+            @compression_buffer.reopen("")
+            @compression_stream_state[:events_in_compression_buffer] = 0
+            @compression_stream_state[:original_events_size] = 0
+            @compression_stream_state[:last_flush] = Time.now.to_i
+        end        
+
+    end
+end;end;end;

data/lib/logstash/sentinel/logStashEventsBatcher.rb

@@ -0,0 +1,116 @@
+# encoding: utf-8
+
+require "logstash/sentinel/logAnalyticsClient"
+require "logstash/sentinel/logstashLoganalyticsConfiguration"
+
+# LogStashAutoResizeBuffer class setting a resizable buffer which is flushed periodically
+# The buffer resize itself according to Azure Loganalytics  and configuration limitations
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
+class LogStashEventsBatcher
+    
+    def initialize(logstashLoganalyticsConfiguration)
+        @logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
+        @logger = @logstashLoganalyticsConfiguration.logger
+        @client = LogAnalyticsClient::new(logstashLoganalyticsConfiguration)
+    end # initialize
+
+    public
+    def batch_event_document(event_document)
+        # todo: ensure the json serialization only occurs once. 
+        current_document_size = event_document.to_json.bytesize
+        if (current_document_size >= @logstashLoganalyticsConfiguration.MAX_SIZE_BYTES - 1000)
+            @logger.error("Received document above the max allowed size - dropping the document [document size: #{current_document_size}, max allowed size: #{@buffer_config[:flush_each]}")
+        else
+            batch_event(event_document)
+        end
+    end # def add_event_document
+
+    protected
+    def close
+        raise "Method close not implemented"
+    end
+
+    def batch_event(event_document)
+        raise "Method batch_event not implemented"
+    end
+   
+    def send_message_to_loganalytics(call_payload, amount_of_documents)
+
+        retransmission_timeout = Time.now.to_i + @logstashLoganalyticsConfiguration.retransmission_time
+        api_name = "Logs Ingestion API"
+        is_retry = false
+        force_retry = false
+
+        while Time.now.to_i < retransmission_timeout || force_retry
+            seconds_to_sleep = @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY
+            force_retry = false
+            # Retry logic:
+            # 400 bad request or general exceptions are dropped
+            # 429 (too many requests) are retried forever 
+            # All other http errors are retried for total every of @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY until @logstashLoganalyticsConfiguration.retransmission_time seconds passed
+            begin
+                @logger.debug(transmission_verb(is_retry) + " log batch (amount of documents: #{amount_of_documents}) to DCR stream #{@logstashLoganalyticsConfiguration.dcr_stream_name} to #{api_name}.")
+                response = @client.post_data(call_payload)
+                
+                if LogAnalyticsClient.is_successfully_posted(response)
+                    @logger.info("Successfully posted #{amount_of_documents} logs into log analytics DCR stream [#{@logstashLoganalyticsConfiguration.dcr_stream_name}].")
+                    return
+                else
+                    @logger.error("#{api_name} request failed. Error code: #{response.code} #{try_get_info_from_error_response(response)}")
+                    @logger.trace("Rest client response ['#{response}']")
+                end
+
+            rescue RestClient::ExceptionWithResponse => ewr
+                response = ewr.response
+                @logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
+                @logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{ewr.response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
+
+                if ewr.http_code.to_f == 400
+                    @logger.info("Not trying to resend since exception http code is #{ewr.http_code}")
+                    return                
+                elsif ewr.http_code.to_f == 429
+                    # thrutteling detected, backoff before resending
+                    parsed_retry_after = response.headers.include?(:retry_after) ? response.headers[:retry_after].to_i : 0
+                    seconds_to_sleep = parsed_retry_after > 0 ? parsed_retry_after : 30
+
+                    #force another retry even if the next iteration of the loop will be after the retransmission_timeout
+                    force_retry = true
+                end
+            rescue Exception => ex
+                @logger.error("Exception in posting data to #{api_name}. [Exception: '#{ex}, amount of documents=#{amount_of_documents}]'")
+                @logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")       
+            end
+            is_retry = true
+            @logger.info("Retrying transmission to #{api_name} in #{seconds_to_sleep} seconds.")
+
+            sleep seconds_to_sleep
+        end
+
+        @logger.error("Could not resend #{amount_of_documents} documents, message is dropped after retransmission_time exceeded.")
+        @logger.trace("Documents (#{amount_of_documents}) dropped. [call_payload=#{call_payload}]")
+    end # end send_message_to_loganalytics
+    
+    private
+    def transmission_verb(is_retry)
+        if is_retry
+            "Resending"
+        else
+            "Posting"
+        end
+    end
+
+    # Try to get the values of the x-ms-error-code and x-ms-request-id headers and content of body, decorate it for printing
+    def try_get_info_from_error_response(response)
+        output = ""
+        if response.headers.include?(:x_ms_error_code)
+            output += " [ms-error-code header: #{response.headers[:x_ms_error_code]}]"
+        end
+        if response.headers.include?(:x_ms_request_id)
+            output += " [x-ms-request-id header: #{response.headers[:x_ms_request_id]}]"
+        end
+        output += " [Response body: #{response.body}]" 
+        return output
+    end
+
+end
+end;end;end;