Logstash plugin is installed and not listed and found by logstash

Hi Team,

Microsoft-sentinel-logstash-output-plugin is installed on logstash (7.15.1) server Linux but is not listed and found by logstash : /usr/share/logstash/bin #./logstash-plugin list

Plugin successfully installed with CLI ruby gem :

/usr/share/logstash/bin #./ruby -S gem install microsoft-sentinel-logstash-output-plugin

....
....
...
Desired survivor size 8716288 bytes, new threshold 6 (max 6)

  • age 1: 4904448 bytes, 4904448 total
  • age 2: 1090536 bytes, 5994984 total
  • age 3: 1012680 bytes, 7007664 total
  • age 4: 417256 bytes, 7424920 total
  • age 5: 1243296 bytes, 8668216 total

Desired survivor size 8716288 bytes, new threshold 4 (max 6)

  • age 1: 5538184 bytes, 5538184 total
  • age 2: 1405952 bytes, 6944136 total
  • age 3: 1089512 bytes, 8033648 total
  • age 4: 1012560 bytes, 9046208 total
  • age 5: 416928 bytes, 9463136 total
  • age 6: 1213536 bytes, 10676672 total

Desired survivor size 8716288 bytes, new threshold 6 (max 6)

  • age 1: 5039672 bytes, 5039672 total
  • age 2: 1138760 bytes, 6178432 total
  • age 3: 1404496 bytes, 7582928 total
  • age 4: 1089512 bytes, 8672440 total
    Successfully installed microsoft-sentinel-logstash-output-plugin-1.0.0
    1 gem installed

error identify on log server logstash :

message=>"Unable to configure plugins: (PluginLoadingError) Couldn't find any output plugin named 'microsoft-sentinel-logstash-output-plugin'.
Are you sure this is correct? Trying to load the microsoft-sentinel-logstash-output-plugin output plugin resulted in this error: Unable to load the requested plugin named microsoft-sentinel-logstash-output-plugin of type output.
The plugin is not installed.",

Thanks for your help

That is not the right way to do the install. Microsoft documents how to do it.

Hi Badger,

Thanks for your reply.

This is way to install plugin sentinel from our Artifactor (depotspaquets ) and not from internet.

Our Artifactor contain all paquets , plugin and binaires necessary to be used for dev and deploy...

Access to internet to download and install plugin not secured and not authorized from our network

SAMY

Again, that is not the right way to do the install. The Microsoft documentation links to pages that explain how to build a package for an offline install.

Hi Badger,

Thanks,
Now i get this issue in log logstash after add config Output plugin sentinel :

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError",
:message=>"Expected one of [A-Za-z0-9_-], [ \t\r\n], "#", "{" at line 226, column 48 (byte 6995) after output {\n if [client] {\n if [client] == "iis" {\n if [indexname] {\n microsoft-sentinel-logstash-output-plugin-1",
:backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:391:in block in converge_state'"]}

our config in logstash :

output {
if [client] {
if [client] == "iis" {
if [indexname] {
microsoft-sentinel-logstash-output-plugin-1.0.0
{
client_app_Id => "........"
client_app_secret => "......"
tenant_id => "....."
data_collection_endpoint => "......."
dcr_immutable_id => "......"
dcr_stream_name => "....."
}
}
}
if [client] == "winlog.mxl" {
............

thanks for Help
thanks for help

Remove the -1.0.0

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.