Logstash plugin is installed and not listed and found by logstash

Elastic Stack Logstash
1

Hi Team,

Microsoft-sentinel-logstash-output-plugin is installed on logstash (7.15.1) server Linux but is not listed and found by logstash : /usr/share/logstash/bin #./logstash-plugin list

Plugin successfully installed with CLI ruby gem :

/usr/share/logstash/bin #./ruby -S gem install microsoft-sentinel-logstash-output-plugin

....
....
...
Desired survivor size 8716288 bytes, new threshold 6 (max 6)

  • age 1: 4904448 bytes, 4904448 total
  • age 2: 1090536 bytes, 5994984 total
  • age 3: 1012680 bytes, 7007664 total
  • age 4: 417256 bytes, 7424920 total
  • age 5: 1243296 bytes, 8668216 total

Desired survivor size 8716288 bytes, new threshold 4 (max 6)

  • age 1: 5538184 bytes, 5538184 total
  • age 2: 1405952 bytes, 6944136 total
  • age 3: 1089512 bytes, 8033648 total
  • age 4: 1012560 bytes, 9046208 total
  • age 5: 416928 bytes, 9463136 total
  • age 6: 1213536 bytes, 10676672 total

Desired survivor size 8716288 bytes, new threshold 6 (max 6)

  • age 1: 5039672 bytes, 5039672 total
  • age 2: 1138760 bytes, 6178432 total
  • age 3: 1404496 bytes, 7582928 total
  • age 4: 1089512 bytes, 8672440 total
    Successfully installed microsoft-sentinel-logstash-output-plugin-1.0.0
    1 gem installed

error identify on log server logstash :

message=>"Unable to configure plugins: (PluginLoadingError) Couldn't find any output plugin named 'microsoft-sentinel-logstash-output-plugin'.
Are you sure this is correct? Trying to load the microsoft-sentinel-logstash-output-plugin output plugin resulted in this error: Unable to load the requested plugin named microsoft-sentinel-logstash-output-plugin of type output.
The plugin is not installed.",

Thanks for your help

2

That is not the right way to do the install. Microsoft documents how to do it.

3

Hi Badger,

Thanks for your reply.

This is way to install plugin sentinel from our Artifactor (depotspaquets ) and not from internet.

Our Artifactor contain all paquets , plugin and binaires necessary to be used for dev and deploy...

Access to internet to download and install plugin not secured and not authorized from our network

SAMY

4

Again, that is not the right way to do the install. The Microsoft documentation links to pages that explain how to build a package for an offline install.

5

Hi Badger,

Thanks,
Now i get this issue in log logstash after add config Output plugin sentinel :

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError",
:message=>"Expected one of [A-Za-z0-9_-], [ \t\r\n], "#", "{" at line 226, column 48 (byte 6995) after output {\n if [client] {\n if [client] == "iis" {\n if [indexname] {\n microsoft-sentinel-logstash-output-plugin-1",
:backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:391:in block in converge_state'"]}

our config in logstash :

output {
if [client] {
if [client] == "iis" {
if [indexname] {
microsoft-sentinel-logstash-output-plugin-1.0.0
{
client_app_Id => "........"
client_app_secret => "......"
tenant_id => "....."
data_collection_endpoint => "......."
dcr_immutable_id => "......"
dcr_stream_name => "....."
}
}
}
if [client] == "winlog.mxl" {
............

thanks for Help
thanks for help

6

Remove the -1.0.0

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.