// Logstash configuration file to ingest files from AWS S3 buckets
// Last Updated Date: Aug 14, 2020
//
// Usage Instructions:
// Azure Log Analytics output plugin for Logstash:  
// https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/microsoft-logstash-output-azure-loganalytics
//
// Follow the wiki article for installation of logstash and plugin usage Instructions.
// https://github.com/Azure/Azure-Sentinel/wiki/Ingest-Custom-Logs-LogStash
//
// Parser Notes:
// Make sure the log type name is specified as alpha characters (letters only), no digits or special characters allowed.
//
input{
s3 {
    access_key_id => "<AWS_ACCESS_KEY_ID>"
    secret_access_key => "<AWS_SECRET_ACCESS_KEY>"
    bucket => "<AWS_S3_BUCKET_NAME>"
    codec => "json"
}
}
filter {
    split {
        field => "Records"
    }
}
output {
    microsoft-logstash-output-azure-loganalytics {
        workspace_id => "<WORKSTATION_ID>"
        workspace_key => "SHARED_KEY"
        custom_log_table_name => "<LOGTYPENAME>"
        plugin_flush_interval => 5
    }
    # for debug
    stdout { codec => rubydebug }
}