fluent-bit
fluent-bit copied to clipboard
fluent
Azure Log Analytics DCR support
Azure Log Analytics is releasing some new features (currently in preview) around allowing 3rd party logging tools to send in data to the Microsoft controlled tables. However, it looks like this will require support for handling new endpoints for submission.
see: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-overview https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-transformations
This should allow FluentBit to send data to a DCR endpoint and have its data be translated into one of the Syslog, WindowsEvents, SecurityEvents, or CommonSecurityLog tables. This would be epic and make it a much more straightforward way to get data into those tables and allow, for example, Sentinel consumption without having to deal with the MS omsagent.
It looks like the Header and Body of the request are the same format as traditional LA endpoints.
Ah this is nice, perhaps we could add a new endpoint configuration option in Azure plugin
@iamvighnesh would you be able to help contribute this feature/functionality?
@agup006 Wish I could but I am afraid I can't help with my very limited experience with C lang.
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been stalled for 5 days with no activity.
i've re-opened and removed stale - Looks like some Microsoft might be able to help us get this implemented!
Adding @pragmatical who is going to be looking at this in upcoming releases
Hey @agup006 I'm currently looking into it. My plan is basically replicate the Azure LA plugin with added functionality. And for now just looking into Shared Key based Auth
Hey y'all
Created azure_logs_ingestion plugin.
See https://github.com/kforeverisback/fluent-bit/tree/feature/logs_ingestion
Feel free to try it out!
Here is a sample conf with azure_logs_ingestion plugin:
[INPUT]
Name tail
Path /path/to/sample_access.log
Tag sample
Key RawData
[FILTER]
Name modify
Match sample
Add Application FBLogGen
[OUTPUT]
Name stdout
Match sample
[OUTPUT]
Name azure_logs_ingestion
Match sample
client_id 00000000-0000-0000-0000-000000000000
tenant_id 00000000-0000-0000-0000-000000000000
client_secret abcdabcdacbdcbadcbadcdicasiunclaisnclsdc
dce_url https://dce-abcd.westus3-1.ingest.monitor.azure.com
dcr_id dcr-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
table_name ladcr_CL #----> _CL must be appended here
time_generated true
time_key Time
Compress true
For testing I've followed this tutorial and this Logs Ingestion REST API reference to create DCE, DCR and sample data (with and without GZip compression and Time key).
I have tested it with fluentbit without any crash/mem-leak.
I'll do a long-term test, if successful I'll probably do a PR as well!
Really cool @kforeverisback !! Let’s try to get it in for 2.1 in time for KubeCon EU
@agup006 Do we have a timeline/deadline for the 2.1 release? or KubeCon EU?
Just created a PR for the DCR output plugin. https://github.com/fluent/fluent-bit/pull/7155