microsoft-sentinel-logstash-output 1.2.0

data/lib/logstash/sentinel_la/customSizeBasedBuffer.rb

@@ -0,0 +1,293 @@
+  # This code is from a PR for the official repo of ruby-stud
+  # with a small change to calculating the event size in the var_size function
+  # https://github.com/jordansissel/ruby-stud/pull/19
+  #
+  # @author {Alex Dean}[http://github.com/alexdean]
+  #
+  # Implements a generic framework for accepting events which are later flushed
+  # in batches. Flushing occurs whenever +:max_items+ or +:max_interval+ (seconds)
+  # has been reached or if the event size outgrows +:flush_each+ (bytes)
+  #
+  # Including class must implement +flush+, which will be called with all
+  # accumulated items either when the output buffer fills (+:max_items+ or
+  # +:flush_each+) or when a fixed amount of time (+:max_interval+) passes.
+  #
+  # == batch_receive and flush
+  # General receive/flush can be implemented in one of two ways.
+  #
+  # === batch_receive(event) / flush(events)
+  # +flush+ will receive an array of events which were passed to +buffer_receive+.
+  #
+  #   batch_receive('one')
+  #   batch_receive('two')
+  #
+  # will cause a flush invocation like
+  #
+  #   flush(['one', 'two'])
+  #
+  # === batch_receive(event, group) / flush(events, group)
+  # flush() will receive an array of events, plus a grouping key.
+  #
+  #   batch_receive('one',   :server => 'a')
+  #   batch_receive('two',   :server => 'b')
+  #   batch_receive('three', :server => 'a')
+  #   batch_receive('four',  :server => 'b')
+  #
+  # will result in the following flush calls
+  #
+  #   flush(['one', 'three'], {:server => 'a'})
+  #   flush(['two', 'four'],  {:server => 'b'})
+  #
+  # Grouping keys can be anything which are valid Hash keys. (They don't have to
+  # be hashes themselves.) Strings or Fixnums work fine. Use anything which you'd
+  # like to receive in your +flush+ method to help enable different handling for
+  # various groups of events.
+  #
+  # == on_flush_error
+  # Including class may implement +on_flush_error+, which will be called with an
+  # Exception instance whenever buffer_flush encounters an error.
+  #
+  # * +buffer_flush+ will automatically re-try failed flushes, so +on_flush_error+
+  #   should not try to implement retry behavior.
+  # * Exceptions occurring within +on_flush_error+ are not handled by
+  #   +buffer_flush+.
+  #
+  # == on_full_buffer_receive
+  # Including class may implement +on_full_buffer_receive+, which will be called
+  # whenever +buffer_receive+ is called while the buffer is full.
+  #
+  # +on_full_buffer_receive+ will receive a Hash like <code>{:pending => 30,
+  # :outgoing => 20}</code> which describes the internal state of the module at
+  # the moment.
+  #
+  # == final flush
+  # Including class should call <code>buffer_flush(:final => true)</code>
+  # during a teardown/shutdown routine (after the last call to buffer_receive)
+  # to ensure that all accumulated messages are flushed.
+  module LogStash; module Outputs; class MicrosoftSentinelOutputInternal 
+  module CustomSizeBasedBuffer
+
+    public
+    # Initialize the buffer.
+    #
+    # Call directly from your constructor if you wish to set some non-default
+    # options. Otherwise buffer_initialize will be called automatically during the
+    # first buffer_receive call.
+    #
+    # Options:
+    # * :max_items, Max number of items to buffer before flushing. Default 50.
+    # * :flush_each, Flush each bytes of buffer. Default 0 (no flushing fired by
+    #                a buffer size).
+    # * :max_interval, Max number of seconds to wait between flushes. Default 5.
+    # * :logger, A logger to write log messages to. No default. Optional.
+    #
+    # @param [Hash] options
+    def buffer_initialize(options={})
+      if ! self.class.method_defined?(:flush)
+        raise ArgumentError, "Any class including Stud::Buffer must define a flush() method."
+      end
+
+      @buffer_config = {
+        :max_items => options[:max_items] || 50,
+        :flush_each => options[:flush_each].to_i || 0,
+        :max_interval => options[:max_interval] || 5,
+        :logger => options[:logger] || nil,
+        :has_on_flush_error => self.class.method_defined?(:on_flush_error),
+        :has_on_full_buffer_receive => self.class.method_defined?(:on_full_buffer_receive)
+      }
+      @buffer_state = {
+        # items accepted from including class
+        :pending_items => {},
+        :pending_count => 0,
+        :pending_size => 0,
+
+        # guard access to pending_items & pending_count & pending_size
+        :pending_mutex => Mutex.new,
+
+        # items which are currently being flushed
+        :outgoing_items => {},
+        :outgoing_count => 0,
+        :outgoing_size => 0,
+
+        # ensure only 1 flush is operating at once
+        :flush_mutex => Mutex.new,
+
+        # data for timed flushes
+        :last_flush => Time.now.to_i,
+        :timer => Thread.new do
+          loop do
+            sleep(@buffer_config[:max_interval])
+            buffer_flush(:force => true)
+          end
+        end
+      }
+
+      # events we've accumulated
+      buffer_clear_pending
+    end
+
+    # Determine if +:max_items+ or +:flush_each+ has been reached.
+    #
+    # buffer_receive calls will block while <code>buffer_full? == true</code>.
+    #
+    # @return [bool] Is the buffer full?
+    def buffer_full?
+      (@buffer_state[:pending_count] + @buffer_state[:outgoing_count] >= @buffer_config[:max_items]) || \
+      (@buffer_config[:flush_each] != 0 && @buffer_state[:pending_size] + @buffer_state[:outgoing_size] >= @buffer_config[:flush_each])
+    end
+
+    # Save an event for later delivery
+    #
+    # Events are grouped by the (optional) group parameter you provide.
+    # Groups of events, plus the group name, are later passed to +flush+.
+    #
+    # This call will block if +:max_items+ or +:flush_each+ has been reached.
+    #
+    # @see Stud::Buffer The overview has more information on grouping and flushing.
+    #
+    # @param event An item to buffer for flushing later.
+    # @param group Optional grouping key. All events with the same key will be
+    #              passed to +flush+ together, along with the grouping key itself.
+    def buffer_receive(event, group=nil)
+      buffer_initialize if ! @buffer_state
+
+      # block if we've accumulated too many events
+      while buffer_full? do
+        on_full_buffer_receive(
+          :pending => @buffer_state[:pending_count],
+          :outgoing => @buffer_state[:outgoing_count]
+        ) if @buffer_config[:has_on_full_buffer_receive]
+        sleep 0.1
+      end
+      @buffer_state[:pending_mutex].synchronize do
+        @buffer_state[:pending_items][group] << event
+        @buffer_state[:pending_count] += 1
+        @buffer_state[:pending_size] += var_size(event) if @buffer_config[:flush_each] != 0
+      end
+
+      buffer_flush
+    end
+
+    # Try to flush events.
+    #
+    # Returns immediately if flushing is not necessary/possible at the moment:
+    # * :max_items or :flush_each have not been accumulated
+    # * :max_interval seconds have not elapased since the last flush
+    # * another flush is in progress
+    #
+    # <code>buffer_flush(:force => true)</code> will cause a flush to occur even
+    # if +:max_items+ or +:flush_each+ or +:max_interval+ have not been reached. A forced flush
+    # will still return immediately (without flushing) if another flush is
+    # currently in progress.
+    #
+    # <code>buffer_flush(:final => true)</code> is identical to <code>buffer_flush(:force => true)</code>,
+    # except that if another flush is already in progress, <code>buffer_flush(:final => true)</code>
+    # will block/wait for the other flush to finish before proceeding.
+    #
+    # @param [Hash] options Optional. May be <code>{:force => true}</code> or <code>{:final => true}</code>.
+    # @return [Fixnum] The number of items successfully passed to +flush+.
+    def buffer_flush(options={})
+      force = options[:force] || options[:final]
+      final = options[:final]
+
+      # final flush will wait for lock, so we are sure to flush out all buffered events
+      if options[:final]
+        @buffer_state[:flush_mutex].lock
+      elsif ! @buffer_state[:flush_mutex].try_lock # failed to get lock, another flush already in progress
+        return 0
+      end
+
+      items_flushed = 0
+
+      begin
+        return 0 if @buffer_state[:pending_count] == 0
+
+        # compute time_since_last_flush only when some item is pending
+        time_since_last_flush = get_time_since_last_flush
+
+        return 0 if (!force) &&
+           (@buffer_state[:pending_count] < @buffer_config[:max_items]) &&
+           (@buffer_config[:flush_each] == 0 || @buffer_state[:pending_size] < @buffer_config[:flush_each]) &&
+           (time_since_last_flush < @buffer_config[:max_interval])
+
+        @buffer_state[:pending_mutex].synchronize do
+          @buffer_state[:outgoing_items] = @buffer_state[:pending_items]
+          @buffer_state[:outgoing_count] = @buffer_state[:pending_count]
+          @buffer_state[:outgoing_size] = @buffer_state[:pending_size]
+          buffer_clear_pending
+        end
+        @buffer_config[:logger].debug("Flushing output",
+          :outgoing_count => @buffer_state[:outgoing_count],
+          :time_since_last_flush => time_since_last_flush,
+          :outgoing_events => @buffer_state[:outgoing_items],
+          :batch_timeout => @buffer_config[:max_interval],
+          :force => force,
+          :final => final
+        ) if @buffer_config[:logger]
+
+        @buffer_state[:outgoing_items].each do |group, events|
+          begin
+
+            if group.nil?
+              flush(events,final)
+            else
+              flush(events, group, final)
+            end
+
+            @buffer_state[:outgoing_items].delete(group)
+            events_size = events.size
+            @buffer_state[:outgoing_count] -= events_size
+            if @buffer_config[:flush_each] != 0
+              events_volume = 0
+              events.each do |event|
+                events_volume += var_size(event)
+              end
+              @buffer_state[:outgoing_size] -= events_volume
+            end
+            items_flushed += events_size
+
+          rescue => e
+            @buffer_config[:logger].warn("Failed to flush outgoing items",
+              :outgoing_count => @buffer_state[:outgoing_count],
+              :exception => e,
+              :backtrace => e.backtrace
+            ) if @buffer_config[:logger]
+
+            if @buffer_config[:has_on_flush_error]
+              on_flush_error e
+            end
+
+            sleep 1
+            retry
+          end
+          @buffer_state[:last_flush] = Time.now.to_i
+        end
+
+      ensure
+        @buffer_state[:flush_mutex].unlock
+      end
+
+      return items_flushed
+    end
+
+    private
+    def buffer_clear_pending
+      @buffer_state[:pending_items] = Hash.new { |h, k| h[k] = [] }
+      @buffer_state[:pending_count] = 0
+      @buffer_state[:pending_size] = 0
+    end
+
+    private
+    def var_size(var)
+        # Calculate event size as a json. 
+        # assuming event is a hash
+       return var.to_json.bytesize + 2
+    end
+
+    protected
+    def get_time_since_last_flush
+      Time.now.to_i - @buffer_state[:last_flush]
+    end    
+
+  end
+end ;end ;end 

data/lib/logstash/sentinel_la/eventsHandler.rb

@@ -0,0 +1,58 @@
+# encoding: utf-8
+require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
+
+module LogStash
+  module Outputs
+    class MicrosoftSentinelOutputInternal
+      class EventsHandler
+
+        def initialize(logstashLogAnalyticsConfiguration)
+          @logstashLogAnalyticsConfiguration = logstashLogAnalyticsConfiguration
+          @logger = logstashLogAnalyticsConfiguration.logger
+          @key_names = logstashLogAnalyticsConfiguration.key_names
+          @columns_to_modify = {"@timestamp" => "ls_timestamp", "@version" => "ls_version"}
+        end
+
+        def handle_events(events)
+          raise "Method handle_events not implemented"
+        end
+
+        def close
+          raise "Method close not implemented"
+        end
+
+        # In case that the user has defined key_names meaning that he would like to a subset of the data,
+        # we would like to insert only those keys.
+        # If no keys were defined we will send all the data
+        def create_event_document(event)
+          document = {}
+          event_hash = event.to_hash
+
+          @columns_to_modify.each {|original_key, new_key|
+            if event_hash.has_key?(original_key)
+              event_hash[new_key] = event_hash[original_key]
+              event_hash.delete(original_key)
+            end
+          }
+
+          if @key_names.length > 0
+            # Get the intersection of key_names and keys of event_hash
+            keys_intersection = @key_names & event_hash.keys
+            keys_intersection.each do |key|
+              document[key] = event_hash[key]
+            end
+            if document.keys.length < 1
+              @logger.warn("No keys found, message is dropped. Plugin keys: #{@key_names}, Event keys: #{event_hash}. The event message do not match event expected structre. Please edit key_names section in output plugin and try again.")
+            end
+          else
+            document = event_hash
+          end
+
+          return document
+        end
+        # def create_event_document
+
+      end
+    end
+  end
+end

data/lib/logstash/sentinel_la/logAnalyticsAadTokenProvider.rb

@@ -0,0 +1,92 @@
+# encoding: utf-8
+require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
+require 'rest-client'
+require 'json'
+require 'openssl'
+require 'base64'
+require 'time'
+
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
+class LogAnalyticsAadTokenProvider
+  def initialize (logstashLoganalyticsConfiguration)
+    scope = CGI.escape("#{logstashLoganalyticsConfiguration.get_monitor_endpoint}//.default")
+    @aad_uri = logstashLoganalyticsConfiguration.get_aad_endpoint
+    @token_request_body = sprintf("client_id=%s&scope=%s&client_secret=%s&grant_type=client_credentials", logstashLoganalyticsConfiguration.client_app_Id, scope, logstashLoganalyticsConfiguration.client_app_secret)
+    @token_request_uri = sprintf("%s/%s/oauth2/v2.0/token",@aad_uri, logstashLoganalyticsConfiguration.tenant_id)
+    @token_state = {
+      :access_token => nil,
+      :expiry_time => nil,
+      :token_details_mutex => Mutex.new,
+    }
+    @logger = logstashLoganalyticsConfiguration.logger
+    @logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
+  end # def initialize
+
+  # Public methods
+  public
+
+  def get_aad_token_bearer()
+    @token_state[:token_details_mutex].synchronize do
+      if is_saved_token_need_refresh()
+        refresh_saved_token()
+      end
+      return @token_state[:access_token]
+    end
+  end # def get_aad_token_bearer
+
+  # Private  methods
+  private
+
+  def is_saved_token_need_refresh()
+    return @token_state[:access_token].nil? || @token_state[:expiry_time].nil? || @token_state[:expiry_time] <= Time.now
+  end # def is_saved_token_need_refresh
+
+  def refresh_saved_token()
+    @logger.info("Entra ID token expired - refreshing token.")
+
+    token_response = post_token_request()
+    @token_state[:access_token] = token_response["access_token"]
+    @token_state[:expiry_time] = get_token_expiry_time(token_response["expires_in"])
+
+  end # def refresh_saved_token
+
+  def get_token_expiry_time (expires_in_seconds)
+    if (expires_in_seconds.nil? || expires_in_seconds <= 0)
+      return Time.now + (60 * 60 * 24) # Refresh anyway in 24 hours
+    else
+      return Time.now + expires_in_seconds - 1; # Decrease by 1 second to be on the safe side
+    end
+  end # def get_token_expiry_time
+
+  # Post the given json to Azure Loganalytics
+  def post_token_request()
+    # Create REST request header
+    headers = get_header()
+    while true
+      begin
+        # Post REST request
+        response = RestClient::Request.execute(method: :post, url: @token_request_uri, payload: @token_request_body, headers: headers,
+                                              proxy: @logstashLoganalyticsConfiguration.proxy_aad)
+
+        if (response.code == 200 || response.code == 201)
+          return JSON.parse(response.body)
+        end
+      rescue RestClient::ExceptionWithResponse => ewr
+        @logger.error("Exception while authenticating with Microsoft Entra ID API ['#{ewr.response}']")
+      rescue Exception => ex
+        @logger.trace("Exception while authenticating with Microsoft Entra ID API ['#{ex}']")
+      end
+      @logger.error("Error while authenticating with Microsoft Entra ID ('#{@aad_uri}'), retrying in 10 seconds.")
+      sleep 10
+    end
+  end # def post_token_request
+
+  # Create a header
+  def get_header()
+    return {
+      'Content-Type' => 'application/x-www-form-urlencoded',
+    }
+  end # def get_header
+
+end # end of class
+end ;end ;end

data/lib/logstash/sentinel_la/logAnalyticsArcTokenProvider.rb

@@ -0,0 +1,137 @@
+# encoding: utf-8
+require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
+require 'rest-client'
+require 'json'
+require 'openssl'
+require 'base64'
+require 'time'
+
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
+class LogAnalyticsArcTokenProvider
+  def initialize (logstashLoganalyticsConfiguration)
+    scope = CGI.escape("#{logstashLoganalyticsConfiguration.get_monitor_endpoint}")
+    @token_request_uri = sprintf("http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=%s", scope)
+    # https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication
+    @token_state = {
+      :access_token => nil,
+      :expiry_time => nil,
+      :token_details_mutex => Mutex.new,
+    }
+    @logger = logstashLoganalyticsConfiguration.logger
+    @logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
+  end # def initialize
+
+  # Public methods
+  public
+
+  # Find the path to the authentication token
+  def get_challange_token_path()
+    # Create REST request header
+    headers = get_header1()
+    begin
+      response = RestClient::Request.execute(
+        method: :get,
+        url: @token_request_uri,
+        headers: headers
+      )
+    rescue RestClient::ExceptionWithResponse => e
+      response = e.response
+    end
+
+    # Path to .KEY file is stripped from response
+    www_authenticate = response.headers[:www_authenticate]
+    path = www_authenticate.split(' ')[1].gsub('realm=', '')
+    return path
+  end # def get_challange_token_path
+
+  # With path to .KEY file we can retrieve Bearer token
+  def get_challange_token()
+    path = get_challange_token_path()
+    # Check if the file is readable
+    if ::File.readable?(path)
+      # Read the content of the key file
+      key_content = ::File.read(path)
+      return key_content
+    else
+      # User must be a member of the himds group to be able to retrieve contents of .KEY file
+      @logger.error("The file at #{path} is not readable by the current user. Please run the script as root.")
+    end
+  end # def get_challange_token
+
+  def get_aad_token_bearer()
+    @token_state[:token_details_mutex].synchronize do
+      if is_saved_token_need_refresh()
+        refresh_saved_token()
+      end
+      return @token_state[:access_token]
+    end
+  end # def get_aad_token_bearer
+
+  # Private  methods
+  private
+
+  def is_saved_token_need_refresh()
+    return @token_state[:access_token].nil? || @token_state[:expiry_time].nil? || @token_state[:expiry_time] <= Time.now
+  end # def is_saved_token_need_refresh
+
+  def refresh_saved_token()
+    @logger.info("Azure Arc Managed Identity token expired - refreshing token.")
+
+    token_response = post_token_request()
+    @token_state[:access_token] = token_response["access_token"]
+    @token_state[:expiry_time] = get_token_expiry_time(token_response["expires_in"].to_i)
+
+  end # def refresh_saved_token
+
+  def get_token_expiry_time (expires_in_seconds)
+    if (expires_in_seconds.nil? || expires_in_seconds <= 0)
+      return Time.now + (60 * 60 * 24) # Refresh anyway in 24 hours
+    else
+      return Time.now + expires_in_seconds - 1; # Decrease by 1 second to be on the safe side
+    end
+  end # def get_token_expiry_time
+
+  # Post the given json to Azure Loganalytics
+  def post_token_request()
+    # Create REST request header
+    headers = get_header()
+    while true
+      begin
+        # GET REST request
+        response = RestClient::Request.execute(
+          method: :get,
+          url: @token_request_uri,
+          headers: headers,
+          proxy: @logstashLoganalyticsConfiguration.proxy_aad
+        )
+
+        if (response.code == 200 || response.code == 201)
+          return JSON.parse(response.body)
+        end
+      rescue RestClient::ExceptionWithResponse => ewr
+        @logger.error("Exception while authenticating with Azure Arc Connected Machine API ['#{ewr.response}']")
+      rescue Exception => ex
+        @logger.trace("Exception while authenticating with Azure Arc Connected Machine API ['#{ex}']")
+      end
+      @logger.error("Error while authenticating with Azure Arc Connected Machine ('#{@token_request_uri}'), retrying in 10 seconds.")
+      sleep 10
+    end
+  end # def post_token_request
+
+  # Create a header
+  def get_header()
+    return {
+      'Metadata' => 'true',
+      'Authorization' => "Basic #{get_challange_token()}"
+    }
+  end # def get_header
+
+  # Create a header
+  def get_header1()
+    return {
+      'Metadata' => 'true',
+    }
+  end # def get_header1
+
+end # end of class
+end ;end ;end

data/lib/logstash/sentinel_la/logAnalyticsClient.rb

@@ -0,0 +1,101 @@
+# encoding: utf-8
+require "logstash/sentinel_la/version"
+require 'rest-client'
+require 'json'
+require 'openssl'
+require 'base64'
+require 'time'
+require 'rbconfig'
+
+module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
+class LogAnalyticsClient
+
+require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
+require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
+require "logstash/sentinel_la/logAnalyticsMiTokenProvider"
+require "logstash/sentinel_la/logAnalyticsArcTokenProvider"
+
+  def azcmagent_running? # AZure Connected Machine AGENT is running outside of Azure and onboarded into Azure Arc
+    system('azcmagent > /dev/null', [:out, :err] => IO::NULL)
+  end # def azcmagent_running?
+
+  def initialize(logstashLoganalyticsConfiguration)
+    @logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
+    @logger = @logstashLoganalyticsConfiguration.logger
+
+    la_api_version = "2023-01-01"
+    @uri = sprintf("%s/dataCollectionRules/%s/streams/%s?api-version=%s",@logstashLoganalyticsConfiguration.data_collection_endpoint, @logstashLoganalyticsConfiguration.dcr_immutable_id, logstashLoganalyticsConfiguration.dcr_stream_name, la_api_version)
+
+    if @logstashLoganalyticsConfiguration.managed_identity
+      if azcmagent_running?
+        @logger.info("Machine is Azure Arc-enabled server. Retrieving bearer token via azcmagent...")
+        @aadTokenProvider=LogAnalyticsArcTokenProvider::new(logstashLoganalyticsConfiguration)
+      else
+        @logger.info("Using Managed Identity configuration. Retrieving bearer token for Managed Identity...")
+        @aadTokenProvider=LogAnalyticsMiTokenProvider::new(logstashLoganalyticsConfiguration)
+      end
+    else
+      @aadTokenProvider=LogAnalyticsAadTokenProvider::new(logstashLoganalyticsConfiguration)
+    end
+
+    @userAgent = getUserAgent()
+  end # def initialize
+
+  # Post the given json to Azure Loganalytics
+  def post_data(body)
+    raise ConfigError, 'no json_records' if body.empty?
+
+    # Create REST request header
+    headers = get_header()
+
+    # Post REST request
+    return RestClient::Request.execute(method: :post, url: @uri, payload: body, headers: headers,
+                                        proxy: @logstashLoganalyticsConfiguration.proxy_endpoint, timeout: 240)
+  end # def post_data
+
+  # Static function to return if the response is OK or else
+  def self.is_successfully_posted(response)
+    return (response.code >= 200 && response.code < 300 ) ? true : false
+  end # def self.is_successfully_posted
+
+  private
+
+  # Create a header for the given length
+  def get_header()
+    # Getting an authorization token bearer (if the token is expired, the method will post a request to get a new authorization token)
+    token_bearer = @aadTokenProvider.get_aad_token_bearer()
+
+    headers = {
+          'Content-Type' => 'application/json',
+          'Authorization' => sprintf("Bearer %s", token_bearer),
+          'User-Agent' => @userAgent
+    }
+
+    if @logstashLoganalyticsConfiguration.compress_data
+        headers = headers.merge({
+          'Content-Encoding' => 'gzip'
+        })
+    end
+
+    return headers
+  end # def get_header
+
+  def ruby_agent_version()
+    case RUBY_ENGINE
+        when 'jruby'
+            "jruby/#{JRUBY_VERSION} (#{RUBY_VERSION}p#{RUBY_PATCHLEVEL})"
+        else
+            "#{RUBY_ENGINE}/#{RUBY_VERSION}p#{RUBY_PATCHLEVEL}"
+    end
+  end
+
+  def architecture()
+    "#{RbConfig::CONFIG['host_os']} #{RbConfig::CONFIG['host_cpu']}"
+  end
+
+  def getUserAgent()
+    "SentinelLogstashPlugin|#{LogStash::Outputs::MicrosoftSentinelOutputInternal::VERSION}|#{architecture}|#{ruby_agent_version}"
+  end #getUserAgent
+
+end # end of class
+end ;end ;end