You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/connect-logstash-data-connection-rules.md
+35-3Lines changed: 35 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,7 @@ The Logstash engine is composed of three components:
41
41
- Output plugins: Customized sending of collected and processed data to various destinations.
42
42
43
43
> [!NOTE]
44
-
> - Microsoft supports only the Microsoft Sentinel-provided Logstash output plugin discussed here. The current plugin is named **[microsoft-sentinel-log-analytics-logstash-output-plugin](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin)**, v1.1.0. You can [open a support ticket](https://portal.azure.com/#create/Microsoft.Support) for any issues regarding the output plugin.
44
+
> - Microsoft supports only the Microsoft Sentinel-provided Logstash output plugin discussed here. The current plugin is named **[microsoft-sentinel-log-analytics-logstash-output-plugin](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin)**, v1.1.3. You can [open a support ticket](https://portal.azure.com/#create/Microsoft.Support) for any issues regarding the output plugin.
45
45
>
46
46
> - Microsoft does not support third-party Logstash output plugins for Microsoft Sentinel, or any other Logstash plugin or component of any type.
47
47
>
@@ -69,7 +69,7 @@ The Microsoft Sentinel output plugin for Logstash sends JSON-formatted data to y
69
69
- Install a supported version of Logstash. The plugin supports the following Logstash versions:
70
70
- 7.0 - 7.17.13
71
71
- 8.0 - 8.9
72
-
- 8.11 - 8.13
72
+
- 8.11 - 8.15
73
73
74
74
> [!NOTE]
75
75
> If you use Logstash 8, we recommended that you [disable ECS in the pipeline](https://www.elastic.co/guide/en/logstash/8.4/ecs-ls.html).
@@ -459,6 +459,38 @@ The following table lists the firewall requirements for scenarios where Azure vi
459
459
| Microsoft Azure operated by 21Vianet |https://login.chinacloudapi.cn|Authorization server (the Microsoft identity platform)|Port 443 |Outbound|Yes |
460
460
| Microsoft Azure operated by 21Vianet |Replace '.com' above with '.cn' | Data collection Endpoint|Port 443 |Outbound|Yes |
461
461
462
+
## Plugin-versions
463
+
#### 1.1.3
464
+
- Replaces the `rest-client` library used for connecting to Azure with the `excon` library.
465
+
466
+
#### 1.1.1
467
+
- Adds support for Azure US Government cloud and Microsoft Azure operated by 21Vianet in China.
468
+
469
+
#### 1.1.0
470
+
- Allows setting different proxy values for API connections.
471
+
- Upgrades version for logs ingestion API to 2023-01-01.
472
+
- Renames the plugin to microsoft-sentinel-log-analytics-logstash-output-plugin.
473
+
474
+
#### 1.0.0
475
+
- The initial release for the Logstash output plugin for Microsoft Sentinel. This plugin uses Data Collection Rules (DCRs) with Azure Monitor's Logs Ingestion API.
476
+
## Known issues
477
+
478
+
When using Logstash installed on a Docker image of Lite Ubuntu, the following warning may appear:
To resolve it, use the following commands to install the *netbase* package within your Dockerfile:
485
+
```bash
486
+
USER root
487
+
RUN apt install netbase -y
488
+
```
489
+
For more information, see [JNR regression in Logstash 7.17.0 (Docker)](https://github.com/elastic/logstash/issues/13703).
490
+
491
+
If your environment's event rate is low considering the number of allocated Logstash workers, we recommend increasing the value of *plugin_flush_interval* to 60 or more. This change will allow each worker to batch more events before uploading to the Data Collection Endpoint (DCE). You can monitor the ingestion payload using [DCR metrics](/azure/azure-monitor/essentials/data-collection-monitor#dcr-metrics).
492
+
For more information on *plugin_flush_interval*, see the [Optional Configuration table](#optional-configuration) mentioned earlier.
493
+
462
494
## Limitations
463
495
464
496
- Ingestion into standard tables is limited only to [standard tables supported for custom logs ingestion](data-transformation.md#data-transformation-support-for-custom-data-connectors).
@@ -470,4 +502,4 @@ The following table lists the firewall requirements for scenarios where Azure vi
470
502
471
503
In this article, you learned how to use Logstash to connect external data sources to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
472
504
- Learn how to [get visibility into your data and potential threats](get-visibility.md).
473
-
- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
505
+
- Get started [detecting threats with Microsoft Sentinel](threat-detection.md).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments