Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logstash sentinel output plugin proxy error, deprecated excon option #11518

Closed
PaulGrt opened this issue Dec 3, 2024 · 1 comment
Closed

Logstash sentinel output plugin proxy error, deprecated excon option #11518

PaulGrt opened this issue Dec 3, 2024 · 1 comment
Assignees
@v-sudkharat @v-shukore @v-visodadasi
Labels
plugin Tools

Comments

@PaulGrt
Copy link

PaulGrt commented Dec 3, 2024

Issue with Proxy Option in Microsoft Sentinel Log Analytics Logstash Output Plugin

Description

When using the proxy option in the microsoft-sentinel-log-analytics-logstash-output-plugin, I am encountering the following error:

Dec 02 18:51:36 hostname logstash[2396]: [2024-12-02T18:51:36,310][ERROR][logstash.outputs.microsoftsentineloutput][g2s-sentinel-output[9a3ac9c55d9897e27bf590bfe56dce53 22828f8900b3dea710818f7b7d8676ac] Error while authenticating with AAD ('https://login.microsoftonline.com'), retrying in 10 seconds.

Upon inspecting the request sent to the proxy, it seems that the request is missing the port. Below is the request extracted from the pcap:

CONNECT login.microsoftonline.com HTTP/1.1   
Host: login.microsoftonline.com   
Proxy-Connection: Keep-Alive

it should be :

CONNECT login.microsoftonline.com***:443*** HTTP/1.1   
Host: login.microsoftonline.com   
Proxy-Connection: Keep-Alive

We have tested the same proxy configuration in other setups using the default logstash/jvm.options, and did not encounter any issues.

fix / workaround

The issue seems to come from the date i have installed the plugin, between the release of sentinel output and my installation, excon have updated " omit_default_port " option ( excon/excon@a4b5b44 ).

the workaround i used is adding ":include_default_port => true" as follow:

file sentinel_la/logAnalyticsAadTokenProvider.rb, line 67

response = Excon.post(@token_request_uri, :include_default_port => true, :body => @token_request_body, :headers => headers, :proxy => @logstashLoganalyticsConfiguration.proxy_aad, expects: [200, 201])

can you please take a look ? maybe fix the requirement and modify the Excon version needed ( not 0.8+ but a known working version ) or update with the provided fix.

Steps to Reproduce

  1. Install the plugin version 1.1.3 with excon
  2. Configure the proxy option.
  3. Start Logstash.
  4. Observe the error message in the logs.

Expected Behavior

The proxy request should include all the necessary information for a successful connection to login.microsoftonline.com.

Actual Behavior

The request sent to the proxy appears to be missing required headers or information, resulting in a TCP RST.

Additional Information

  • Plugin version: microsoft-sentinel-log-analytics-logstash-output-plugin:1.1.3 (installed on 25/11/2024).
  • Logstash version: 8.16
@RoeiDimi RoeiDimi mentioned this issue Dec 9, 2024
Merged
@v-visodadasi
Copy link
Contributor

Hi @PaulGrt , We have raised a PR. As your issue has been resolved we are closing this issue from github.
Thank you for your co-operation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-shukore v-shukore

@v-visodadasi v-visodadasi

Labels
plugin Tools
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@v-sudkharat @v-shukore @v-visodadasi @PaulGrt