- Logstash Reference: other versions:
- Logstash Introduction
- Getting Started with Logstash
- How Logstash Works
- Setting Up and Running Logstash
- Logstash Directory Layout
- Logstash Configuration Files
- logstash.yml
- Secrets keystore for secure settings
- Running Logstash from the Command Line
- Running Logstash as a Service on Debian or RPM
- Running Logstash on Docker
- Configuring Logstash for Docker
- Running Logstash on Kubernetes
- Running Logstash on Windows
- Logging
- Shutting Down Logstash
- Upgrading Logstash
- Creating a Logstash pipeline
- Secure your connection
- Advanced Logstash Configurations
- Logstash-to-Logstash communication
- Managing Logstash
- Using Logstash with Elastic Integrations
- Working with Logstash Modules
- Working with Filebeat Modules
- Working with Winlogbeat Modules
- Queues and data resiliency
- Transforming Data
- Deploying and Scaling Logstash
- Managing GeoIP Databases
- Performance tuning
- Monitoring Logstash with Elastic Agent
- Monitoring Logstash (legacy)
- Monitoring Logstash with APIs
- Working with plugins
- Integration plugins
- Input plugins
- azure_event_hubs
- beats
- cloudwatch
- couchdb_changes
- dead_letter_queue
- elastic_agent
- elastic_serverless_forwarder
- elasticsearch
- exec
- file
- ganglia
- gelf
- generator
- github
- google_cloud_storage
- google_pubsub
- graphite
- heartbeat
- http
- http_poller
- imap
- irc
- java_generator
- java_stdin
- jdbc
- jms
- jmx
- kafka
- kinesis
- logstash
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- rabbitmq
- redis
- relp
- rss
- s3
- s3-sns-sqs
- salesforce
- snmp
- snmptrap
- sqlite
- sqs
- stdin
- stomp
- syslog
- tcp
- udp
- unix
- varnishlog
- websocket
- wmi
- xmpp
- Output plugins
- boundary
- circonus
- cloudwatch
- csv
- datadog
- datadog_metrics
- dynatrace
- elastic_app_search
- elastic_workplace_search
- elasticsearch
- exec
- file
- ganglia
- gelf
- google_bigquery
- google_cloud_storage
- google_pubsub
- graphite
- graphtastic
- http
- influxdb
- irc
- java_stdout
- juggernaut
- kafka
- librato
- logstash
- loggly
- lumberjack
- metriccatcher
- mongodb
- nagios
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- rabbitmq
- redis
- redmine
- riak
- riemann
- s3
- sink
- sns
- solr_http
- sqs
- statsd
- stdout
- stomp
- syslog
- tcp
- timber
- udp
- webhdfs
- websocket
- xmpp
- zabbix
- Filter plugins
- age
- aggregate
- alter
- bytes
- cidr
- cipher
- clone
- csv
- date
- de_dot
- dissect
- dns
- drop
- elapsed
- elastic_integration
- elasticsearch
- environment
- extractnumbers
- fingerprint
- geoip
- grok
- http
- i18n
- java_uuid
- jdbc_static
- jdbc_streaming
- json
- json_encode
- kv
- memcached
- metricize
- metrics
- mutate
- prune
- range
- ruby
- sleep
- split
- syslog_pri
- threats_classifier
- throttle
- tld
- translate
- truncate
- urldecode
- useragent
- uuid
- wurfl_device_detection
- xml
- Codec plugins
- Tips and best practices
- Troubleshooting
- Contributing to Logstash
- How to write a Logstash input plugin
- How to write a Logstash codec plugin
- How to write a Logstash filter plugin
- How to write a Logstash output plugin
- Logstash Plugins Community Maintainer Guide
- Document your plugin
- Publish your plugin to RubyGems.org
- List your plugin
- Contributing a patch to a Logstash plugin
- Extending Logstash core
- Contributing a Java Plugin
- Breaking changes
- Release Notes
- Logstash 8.15.5 Release Notes
- Logstash 8.15.4 Release Notes
- Logstash 8.15.3 Release Notes
- Logstash 8.15.2 Release Notes
- Logstash 8.15.1 Release Notes
- Logstash 8.15.0 Release Notes
- Logstash 8.14.3 Release Notes
- Logstash 8.14.2 Release Notes
- Logstash 8.14.1 Release Notes
- Logstash 8.14.0 Release Notes
- Logstash 8.13.4 Release Notes
- Logstash 8.13.3 Release Notes
- Logstash 8.13.2 Release Notes
- Logstash 8.13.1 Release Notes
- Logstash 8.13.0 Release Notes
- Logstash 8.12.2 Release Notes
- Logstash 8.12.1 Release Notes
- Logstash 8.12.0 Release Notes
- Logstash 8.11.4 Release Notes
- Logstash 8.11.3 Release Notes
- Logstash 8.11.2 Release Notes
- Logstash 8.11.1 Release Notes
- Logstash 8.11.0 Release Notes
- Logstash 8.10.4 Release Notes
- Logstash 8.10.3 Release Notes
- Logstash 8.10.2 Release Notes
- Logstash 8.10.1 Release Notes
- Logstash 8.10.0 Release Notes
- Logstash 8.9.2 Release Notes
- Logstash 8.9.1 Release Notes
- Logstash 8.9.0 Release Notes
- Logstash 8.8.2 Release Notes
- Logstash 8.8.1 Release Notes
- Logstash 8.8.0 Release Notes
- Logstash 8.7.1 Release Notes
- Logstash 8.7.0 Release Notes
- Logstash 8.6.2 Release Notes
- Logstash 8.6.1 Release Notes
- Logstash 8.6.0 Release Notes
- Logstash 8.5.3 Release Notes
- Logstash 8.5.2 Release Notes
- Logstash 8.5.1 Release Notes
- Logstash 8.5.0 Release Notes
- Logstash 8.4.2 Release Notes
- Logstash 8.4.1 Release Notes
- Logstash 8.4.0 Release Notes
- Logstash 8.3.3 Release Notes
- Logstash 8.3.2 Release Notes
- Logstash 8.3.1 Release Notes
- Logstash 8.3.0 Release Notes
- Logstash 8.2.3 Release Notes
- Logstash 8.2.2 Release Notes
- Logstash 8.2.1 Release Notes
- Logstash 8.2.0 Release Notes
- Logstash 8.1.3 Release Notes
- Logstash 8.1.2 Release Notes
- Logstash 8.1.1 Release Notes
- Logstash 8.1.0 Release Notes
- Logstash 8.0.1 Release Notes
- Logstash 8.0.0 Release Notes
- Logstash 8.0.0-rc2 Release Notes
- Logstash 8.0.0-rc1 Release Notes
- Logstash 8.0.0-beta1 Release Notes
- Logstash 8.0.0-alpha2 Release Notes
- Logstash 8.0.0-alpha1 Release Notes
Configure Centralized Pipeline Management
editConfigure Centralized Pipeline Management
editTo configure centralized pipeline management:
-
Verify that you are using a license that includes the pipeline management feature.
For more information, see https://www.elastic.co/subscriptions and License management.
-
Specify configuration management settings in the
logstash.yml
file. At a minimum, set:-
xpack.management.enabled: true
to enable centralized configuration management. -
xpack.management.elasticsearch.hosts
to specify the Elasticsearch instance that will store the Logstash pipeline configurations and metadata. -
xpack.management.pipeline.id
to register the pipelines that you want to centrally manage.
-
- Restart Logstash.
-
If your Elasticsearch cluster is protected with basic authentication, assign
the built-in
logstash_admin
role as well as thelogstash_writer
role to any users who will use centralized pipeline management. See Secure your connection for more information.
Centralized management is disabled until you configure and enable security features.
After you’ve configured Logstash to use centralized pipeline
management, you can no longer specify local pipeline configurations. This means
that the pipelines.yml
file and settings like path.config
and
config.string
are inactive when this feature is enabled.
Configuration Management Settings in Logstash
editYou can set the following xpack.management
settings in logstash.yml
to
enable
centralized pipeline management.
For more information about configuring Logstash, see logstash.yml.
The following example shows basic settings that assume Elasticsearch and Kibana are installed on the localhost with basic AUTH enabled, but no SSL. If you’re using SSL, you need to specify additional SSL settings.
xpack.management.enabled: true xpack.management.elasticsearch.hosts: "http://localhost:9200/" xpack.management.elasticsearch.username: logstash_admin_user xpack.management.elasticsearch.password: t0p.s3cr3t xpack.management.logstash.poll_interval: 5s xpack.management.pipeline.id: ["apache", "cloudwatch_logs"]
-
xpack.management.enabled
-
Set to
true
to enable X-Pack centralized configuration management for Logstash. -
xpack.management.logstash.poll_interval
- How often the Logstash instance polls for pipeline changes from Elasticsearch. The default is 5s.
-
xpack.management.pipeline.id
-
Specify a comma-separated list of pipeline IDs to register for centralized
pipeline management. After changing this setting, you need to restart Logstash
to pick up changes.
Pipeline IDs support
*
as a wildcard for matching multiple IDs -
xpack.management.elasticsearch.hosts
-
The Elasticsearch instance that will store the Logstash pipeline configurations and
metadata. This might be the same Elasticsearch instance specified in the
outputs
section in your Logstash configuration, or a different one. Defaults tohttp://localhost:9200
. -
xpack.management.elasticsearch.username
andxpack.management.elasticsearch.password
-
If your Elasticsearch cluster is protected with basic authentication, these settings
provide the username and password that the Logstash instance uses to
authenticate for accessing the configuration data. The username you specify here
should have the built-in
logstash_admin
role and the customizedlogstash_writer
role, which provides access to system indices for managing configurations. Starting with Elasticsearch version 7.10.0, thelogstash_admin
role inherits themanage_logstash_pipelines
cluster privilege for centralized pipeline management. If a user has created their own roles and granted them access to the .logstash index, those roles will continue to work in 7.x but will need to be updated for 8.0. -
xpack.management.elasticsearch.proxy
- Optional setting that allows you to specify a proxy URL if Logstash needs to use a proxy to reach your Elasticsearch cluster.
-
xpack.management.elasticsearch.ssl.ca_trusted_fingerprint
- Optional setting that enables you to specify the hex-encoded SHA-256 fingerprint of the certificate authority for your Elasticsearch instance.
A self-secured Elasticsearch cluster will provide the fingerprint of its CA to the console during setup.
You can also get the SHA256 fingerprint of an Elasticsearch’s CA using the openssl
command-line utility on the Elasticsearch host:
openssl x509 -fingerprint -sha256 -in $ES_HOME/config/certs/http_ca.crt
-
xpack.management.elasticsearch.ssl.certificate_authority
-
Optional setting that enables you to specify a path to the
.pem
file for the certificate authority for your Elasticsearch instance. -
xpack.management.elasticsearch.ssl.truststore.path
- Optional setting that provides the path to the Java keystore (JKS) to validate the server’s certificate.
You cannot use this setting and xpack.management.elasticsearch.ssl.certificate_authority
at the same time.
-
xpack.management.elasticsearch.ssl.truststore.password
- Optional setting that provides the password to the truststore.
-
xpack.management.elasticsearch.ssl.keystore.path
- Optional setting that provides the path to the Java keystore (JKS) to validate the client’s certificate.
You cannot use this setting and xpack.management.elasticsearch.ssl.keystore.certificate
at the same time.
-
xpack.management.elasticsearch.ssl.keystore.password
- Optional setting that provides the password to the keystore.
-
xpack.management.elasticsearch.ssl.certificate
- Optional setting that provides the path to an SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.
This setting can be used only if xpack.management.elasticsearch.ssl.key
is set.
-
xpack.management.elasticsearch.ssl.key
-
Optional setting that provides the path to an OpenSSL-style RSA private key that corresponds to the
xpack.management.elasticsearch.ssl.certificate
.
This setting can be used only if xpack.management.elasticsearch.ssl.certificate
is set.
-
xpack.management.elasticsearch.ssl.verification_mode
-
Option to validate the server’s certificate. Defaults to
full
. To disable, set tonone
. Disabling this severely compromises security. -
xpack.management.elasticsearch.ssl.cipher_suites
- Optional setting that provides the list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.
-
xpack.management.elasticsearch.cloud_id
-
If you’re using Elasticsearch in Elastic Cloud, you should specify the identifier here.
This setting is an alternative to
xpack.management.elasticsearch.hosts
. Ifcloud_id
is configured,xpack.management.elasticsearch.hosts
should not be used. This Elasticsearch instance will store the Logstash pipeline configurations and metadata. -
xpack.management.elasticsearch.cloud_auth
-
If you’re using Elasticsearch in Elastic Cloud, you can set your auth credentials here.
This setting is an alternative to both
xpack.management.elasticsearch.username
andxpack.management.elasticsearch.password
. Ifcloud_auth
is configured, those settings should not be used. The credentials you specify here should be for a user with thelogstash_admin
role, which provides access to system indices for managing configurations. -
xpack.management.elasticsearch.api_key
-
Authenticate using an Elasticsearch API key. Note that this option also requires using SSL.
The API key Format is
id:api_key
whereid
andapi_key
are as returned by the Elasticsearch Create API key API.
Wildcard support in pipeline ID
editPipeline IDs must begin with a letter or underscore and contain only letters, underscores, dashes, and numbers.
You can use *
in xpack.management.pipeline.id
to match any number of letters, underscores, dashes, and numbers.
xpack.management.pipeline.id: ["*logs", "*apache*", "tomcat_log"]
In this example, "*logs"
matches all IDs ending in logs
. "*apache*"
matches any IDs with apache
in the name.
Wildcard in pipeline IDs is available starting with Elasticsearch 7.10. Logstash can pick up new pipeline without a restart if the new pipeline ID matches the wildcard pattern.