You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/connect-logstash.md
+10-6Lines changed: 10 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,7 +40,9 @@ The Logstash engine is comprised of three components:
40
40
- Output plugins: Customized sending of collected and processed data to various destinations.
41
41
42
42
> [!NOTE]
43
-
> Azure Sentinel supports its own provided output plugin only. It does not support third-party output plugins for Azure Sentinel, or any other Logstash plugin of any type.
43
+
> - Azure Sentinel supports its own provided output plugin only. The current version of this plugin is v1.0.0, released 2020-08-25. It does not support third-party output plugins for Azure Sentinel, or any other Logstash plugin of any type.
44
+
>
45
+
> - Azure Sentinel's Logstash output plugin supports only **Logstash versions from 7.0 to 7.9**.
44
46
45
47
The Azure Sentinel output plugin for Logstash sends JSON-formatted data to your Log Analytics workspace, using the Log Analytics HTTP Data Collector REST API. The data is ingested into custom logs.
46
48
@@ -63,19 +65,21 @@ Use the information in the Logstash [Structure of a config file](https://www.ela
|`workspace_id`| string | Enter your workspace ID GUID. *|
67
-
|`workspace_key`| string | Enter your workspace primary key GUID. *|
68
+
|`workspace_id`| string | Enter your workspace ID GUID (see Tip).|
69
+
|`workspace_key`| string | Enter your workspace primary key GUID (see Tip).|
68
70
|`custom_log_table_name`| string | Set the name of the table into which the logs will be ingested. Only one table name per output plugin can be configured. The log table will appear in Azure Sentinel under **Logs**, in **Tables** in the **Custom Logs** category, with a `_CL` suffix. |
69
71
|`endpoint`| string | Optional field. By default, this is the Log Analytics endpoint. Use this field to set an alternative endpoint. |
70
72
|`time_generated_field`| string | Optional field. This property overrides the default **TimeGenerated** field in Log Analytics. Enter the name of the timestamp field in the data source. The data in the field must conform to the ISO 8601 format (`YYYY-MM-DDThh:mm:ssZ`) |
71
73
|`key_names`| array | Enter a list of Log Analytics output schema fields. Each list item should be enclosed in single quotes and the items separated by commas, and the entire list enclosed in square brackets. See example below. |
72
74
|`plugin_flush_interval`| number | Optional field. Set to define the maximum interval (in seconds) between message transmissions to Log Analytics. The default is 5. |
73
-
| `amount_resizing` | boolean | True or false. Enable or disable the automatic scaling mechanism, which adjusts the message buffer size according to the volume of log data received. |
75
+
|`amount_resizing`| boolean | True or false. Enable or disable the automatic scaling mechanism, which adjusts the message buffer size according to the volume of log data received. |
74
76
|`max_items`| number | Optional field. Applies only if `amount_resizing` set to "false." Use to set a cap on the message buffer size (in records). The default is 2000. |
75
77
|`azure_resource_id`| string | Optional field. Defines the ID of the Azure resource where the data resides. <br>The resource ID value is especially useful if you are using [resource-context RBAC](resource-context-rbac.md) to provide access to specific data only. |
76
78
||||
77
79
78
-
* You can find the workspace ID and primary key in the workspace resource, under **Agents management**.
80
+
> [!TIP]
81
+
> - You can find the workspace ID and primary key in the workspace resource, under **Agents management**.
82
+
> -**However**, because having credentials and other sensitive information stored in cleartext in configuration files is not in line with security best practices, you are strongly encouraged to make use of the **Logstash key store** in order to securely include your **workspace ID** and **workspace primary key** in the configuration. See [Elastic's documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/get-started-logstash-user.html) for instructions.
79
83
80
84
#### Sample configurations
81
85
@@ -171,5 +175,5 @@ If you are not seeing any data in this log file, generate and send some events l
171
175
## Next steps
172
176
173
177
In this document, you learned how to use Logstash to connect external data sources to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
174
-
- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
178
+
- Learn how to [get visibility into your data and potential threats](quickstart-get-visibility.md).
175
179
- Get started detecting threats with Azure Sentinel, using [built-in](tutorial-detect-threats-built-in.md) or [custom](tutorial-detect-threats-custom.md) rules.
0 commit comments