- Logstash Reference: other versions:
- Logstash Introduction
- Getting Started with Logstash
- How Logstash Works
- Setting Up and Running Logstash
- Logstash Directory Layout
- Logstash Configuration Files
- logstash.yml
- Secrets keystore for secure settings
- Running Logstash from the Command Line
- Running Logstash as a Service on Debian or RPM
- Running Logstash on Docker
- Configuring Logstash for Docker
- Running Logstash on Windows
- Logging
- Shutting Down Logstash
- Setting Up X-Pack
- Upgrading Logstash
- Configuring Logstash
- Structure of a Config File
- Accessing Event Data and Fields in the Configuration
- Using Environment Variables in the Configuration
- Logstash Configuration Examples
- Multiple Pipelines
- Pipeline-to-Pipeline Communication (Beta)
- Reloading the Config File
- Managing Multiline Events
- Glob Pattern Support
- Converting Ingest Node Pipelines
- Logstash-to-Logstash Communication
- Centralized Pipeline Management
- X-Pack security
- X-Pack Settings
- Managing Logstash
- Working with Logstash Modules
- Working with Filebeat Modules
- Data Resiliency
- Transforming Data
- Deploying and Scaling Logstash
- Performance Tuning
- Monitoring Logstash with APIs
- Monitoring Logstash with X-Pack
- Working with plugins
- Input plugins
- azure_event_hubs
- beats
- cloudwatch
- couchdb_changes
- dead_letter_queue
- elasticsearch
- exec
- file
- ganglia
- gelf
- generator
- github
- google_cloud_storage
- google_pubsub
- graphite
- heartbeat
- http
- http_poller
- imap
- irc
- java_generator
- java_stdin
- jdbc
- jms
- jmx
- kafka
- kinesis
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- rabbitmq
- redis
- relp
- rss
- s3
- salesforce
- snmp
- snmptrap
- sqlite
- sqs
- stdin
- stomp
- syslog
- tcp
- udp
- unix
- varnishlog
- websocket
- wmi
- xmpp
- Output plugins
- boundary
- circonus
- cloudwatch
- csv
- datadog
- datadog_metrics
- elastic_app_search
- elasticsearch
- exec
- file
- ganglia
- gelf
- google_bigquery
- google_cloud_storage
- google_pubsub
- graphite
- graphtastic
- http
- influxdb
- irc
- java_sink
- java_stdout
- juggernaut
- kafka
- librato
- loggly
- lumberjack
- metriccatcher
- mongodb
- nagios
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- rabbitmq
- redis
- redmine
- riak
- riemann
- s3
- sns
- solr_http
- sqs
- statsd
- stdout
- stomp
- syslog
- tcp
- timber
- udp
- webhdfs
- websocket
- xmpp
- zabbix
- Filter plugins
- aggregate
- alter
- bytes
- cidr
- cipher
- clone
- csv
- date
- de_dot
- dissect
- dns
- drop
- elapsed
- elasticsearch
- environment
- extractnumbers
- fingerprint
- geoip
- grok
- http
- i18n
- java_uuid
- jdbc_static
- jdbc_streaming
- json
- json_encode
- kv
- memcached
- metricize
- metrics
- mutate
- prune
- range
- ruby
- sleep
- split
- syslog_pri
- threats_classifier
- throttle
- tld
- translate
- truncate
- urldecode
- useragent
- uuid
- xml
- Codec plugins
- Tips and Best Practices
- Troubleshooting Common Problems
- Contributing to Logstash
- How to write a Logstash input plugin
- How to write a Logstash codec plugin
- How to write a Logstash filter plugin
- How to write a Logstash output plugin
- Documenting your plugin
- Contributing a Patch to a Logstash Plugin
- Logstash Plugins Community Maintainer Guide
- Submitting your plugin to RubyGems.org and the logstash-plugins repository
- Contributing a Java Plugin
- Glossary of Terms
- Breaking Changes
- Release Notes
- Logstash 7.3.2 Release Notes
- Logstash 7.3.1 Release Notes
- Logstash 7.3.0 Release Notes
- Logstash 7.2.0 Release Notes
- Logstash 7.1.1 Release Notes
- Logstash 7.1.0 Release Notes
- Logstash 7.0.1 Release Notes
- Logstash 7.0.0 Release Notes
- Logstash 7.0.0-rc2 Release Notes
- Logstash 7.0.0-rc1 Release Notes
- Logstash 7.0.0-beta1 Release Notes
- Logstash 7.0.0-alpha2 Release Notes
- Logstash 7.0.0-alpha1 Release Notes
Configuring Logstash for Docker
editConfiguring Logstash for Docker
editLogstash differentiates between two types of configuration: Settings and Pipeline Configuration.
Pipeline Configuration
editIt is essential to place your pipeline configuration where it can be
found by Logstash. By default, the container will look in
/usr/share/logstash/pipeline/
for pipeline configuration files.
In this example we use a bind-mounted volume to provide the
configuration via the docker run
command:
docker run --rm -it -v ~/pipeline/:/usr/share/logstash/pipeline/ docker.elastic.co/logstash/logstash:7.3.2
Every file in the host directory ~/pipeline/
will then be parsed
by Logstash as pipeline configuration.
If you don’t provide configuration to Logstash, it will run with a
minimal config that listens for messages from the
Beats input plugin and echoes any that are
received to stdout
. In this case, the startup logs will be similar
to the following:
Sending Logstash logs to /usr/share/logstash/logs which is now configured via log4j2.properties. [2016-10-26T05:11:34,992][INFO ][logstash.inputs.beats ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"} [2016-10-26T05:11:35,068][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500} [2016-10-26T05:11:35,078][INFO ][org.logstash.beats.Server] Starting server on port: 5044 [2016-10-26T05:11:35,078][INFO ][logstash.pipeline ] Pipeline main started [2016-10-26T05:11:35,105][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
This is the default configuration for the image, defined in
/usr/share/logstash/pipeline/logstash.conf
. If this is the
behaviour that you are observing, ensure that your pipeline
configuration is being picked up correctly, and that you are replacing
either logstash.conf
or the entire pipeline
directory.
Settings
editThe image provides several methods for configuring settings. The conventional
approach is to provide a custom logstash.yml
file, but it’s
also possible to use environment variables to define settings.
Bind-mounted settings files
editSettings files can also be provided through bind-mounts. Logstash
expects to find them at /usr/share/logstash/config/
.
It’s possible to provide an entire directory containing all needed files:
docker run --rm -it -v ~/settings/:/usr/share/logstash/config/ docker.elastic.co/logstash/logstash:7.3.2
Alternatively, a single file can be mounted:
docker run --rm -it -v ~/settings/logstash.yml:/usr/share/logstash/config/logstash.yml docker.elastic.co/logstash/logstash:7.3.2
Bind-mounted configuration files will retain the same permissions and
ownership within the container that they have on the host system. Be sure
to set permissions such that the files will be readable and, ideally, not
writeable by the container’s logstash
user (UID 1000).
Custom Images
editBind-mounted configuration is not the only option, naturally. If you
prefer the Immutable Infrastructure approach, you can prepare a
custom image containing your configuration by using a Dockerfile
like this one:
FROM docker.elastic.co/logstash/logstash:7.3.2 RUN rm -f /usr/share/logstash/pipeline/logstash.conf ADD pipeline/ /usr/share/logstash/pipeline/ ADD config/ /usr/share/logstash/config/
Be sure to replace or delete logstash.conf
in your custom image, so
that you don’t retain the example config from the base image.
Environment variable configuration
editUnder Docker, Logstash settings can be configured via environment
variables. When the container starts, a helper process checks the environment
for variables that can be mapped to Logstash settings. Settings that are found
in the environment are merged into logstash.yml
as the container starts up.
For compatibility with container orchestration systems, these environment variables are written in all capitals, with underscores as word separators
Some example translations are shown here:
Table 1. Example Docker Environment Variables
Environment Variable |
Logstash Setting |
|
|
|
|
|
|
In general, any setting listed in the settings documentation can be configured with this technique.
Defining settings with environment variables causes logstash.yml
to
be modified in place. This behaviour is likely undesirable if logstash.yml
was
bind-mounted from the host system. Thus, it is not recommended to
combine the bind-mount technique with the environment variable technique. It
is best to choose a single method for defining Logstash settings.
Docker defaults
editThe following settings have different default values when using the Docker images:
|
|
|
|
The setting xpack.monitoring.elasticsearch.hosts
is not
defined in the -oss
image.
These settings are defined in the default logstash.yml
. They can be overridden
with a custom logstash.yml
or via
environment variables.
If replacing logstash.yml
with a custom version, be sure to copy the
above defaults to the custom file if you want to retain them. If not, they will
be "masked" by the new file.
Logging Configuration
editUnder Docker, Logstash logs go to standard output by default. To
change this behaviour, use any of the techniques above to replace the
file at /usr/share/logstash/config/log4j2.properties
.
On this page