Hello ELKs,
Hope you doing well!!
has anyone tried IF ELSE condition in "microsoft-sentinel-logstash-output-plugin" output logstash plugin?
I'm trying to forward the logs based on log source type to respective DCR endpoint.
Any leads or reference will be appreciated !
thank You!!
There is an example of a conditional around (not in) an output here.
Hello @magnusbaeck,
Thank you for your response.
Here is my config:
output {
if [message] =~ "MSWinEventLog" {
microsoft-sentinel-logstash-output-plugin {
client_app_Id => "abc"
client_app_secret => "xyz"
tenant_id => "qaz"
data_collection_endpoint => "rty"
dcr_immutable_id => "nmo"
dcr_stream_name => "Custom-SecurityEventStream"
}
}
else if [message] =~ "junos@" {
microsoft-sentinel-logstash-output-plugin {
client_app_Id => "abc"
client_app_secret => "xyz"
tenant_id => "qaz"
data_collection_endpoint => "rty"
dcr_immutable_id => "nm"
dcr_stream_name => "Custom-CommonSecurityLogStream"
}
}
else {
microsoft-sentinel-logstash-output-plugin {
client_app_Id => "abc"
client_app_secret => "xyz"
tenant_id => "qaz"
data_collection_endpoint => "rty"
dcr_immutable_id => "nmo"
dcr_stream_name => "Custom-SyslogStream"
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.