What Changed

Microsoft Sentinel Logstash output plugin v1.2.1 introduces a configurable retransmission_delay parameter, replacing the previously hardcoded 2-second delay between retry attempts during failed log transmissions.

Data Fidelity Impact

The hardcoded 2-second retry delay could exacerbate HTTP 429 throttling scenarios in high-volume environments. When Log Analytics rate limiting occurred, the fixed short delay caused rapid retry attempts that could:

  • Intensify throttling conditions by generating additional API requests
  • Lead to data loss if retransmission_time (default 10 seconds) expired before throttling subsided
  • Create cascading delays across multiple Logstash pipelines sharing the same workspace

The new configurable delay (retransmission_delay parameter, default 2 seconds) allows administrators to increase the retry interval during throttling periods, reducing API request rate and improving data delivery success.

Configuration Impact

Existing configurations continue working unchanged with the 2-second default. For high-volume deployments experiencing frequent HTTP 429 responses, increasing retransmission_delay to 5-10 seconds can significantly improve data ingestion reliability.

Security Operations Impact

This addresses a data availability gap where critical security logs could be lost during workspace throttling events. Organizations with high log volumes or multiple Logstash instances feeding the same workspace should evaluate their retransmission_delay settings to ensure continuous security telemetry during peak ingestion periods.

Affected Files

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logstashLoganalyticsConfiguration.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/version.rb