Logstash output
editLogstash output
editThe Logstash output uses an internal protocol to send events directly to Logstash over TCP. Logstash provides additional parsing, transformation, and routing of data collected by Elastic Agent.
Compatibility: This output works with all compatible versions of Logstash. Refer to the Elastic Support Matrix.
This example configures a Logstash output called default
in the
elastic-agent.yml
file:
The Logstash server and the port ( |
To receive the events in Logstash, you also need to create a Logstash configuration pipeline. The Logstash configuration pipeline listens for incoming Elastic Agent connections, processes received events, and then sends the events to Elasticsearch.
The following example configures a Logstash pipeline that listens on port 5044
for
incoming Elastic Agent connections and routes received events to Elasticsearch:
input { elastic_agent { port => 5044 enrich => none # don't modify the events' schema at all # or minimal change, add only ssl and source metadata # enrich => [ssl_peer_metadata, source_metadata] } } output { elasticsearch { hosts => ["http://localhost:9200"] data_stream => "true" } }
For more information about configuring Logstash, refer to Configuring Logstash and Elastic Agent input plugin.
Logstash output configuration settings
editThe logstash
output supports the following settings, grouped by category.
Many of these settings have sensible defaults that allow you to run Elastic Agent with
minimal configuration.
Commonly used settings
editSetting | Description |
---|---|
(boolean) Enables or disables the output. If set to |
|
(boolean) Configures escaping of HTML in strings. Set to Default: |
|
(list) The list of known Logstash servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly. All entries in this list can contain a port number. If no port is specified,
|
|
(string) The URL of the SOCKS5 proxy to use when connecting to the Logstash
servers. The value must be a URL with a scheme of If the SOCKS5 proxy server requires client authentication, embed a username and password in the URL as shown in the example. When using a proxy, hostnames are resolved on the proxy server instead of on the
client. To change this behavior, set outputs: default: type: logstash hosts: ["remote-host:5044"] proxy_url: socks5://user:password@socks5-proxy:2233 |
|
(boolean) Determines whether Logstash hostnames are resolved locally when using a
proxy. If Default: |
Authentication settings
editWhen sending data to a secured cluster through the logstash
output, Elastic Agent can use SSL/TLS. For a list of available settings, refer to
SSL/TLS, specifically the settings under
Table 4, “Common configuration options” and Table 5, “Client configuration options”.
To use SSL/TLS, you must also configure the Elastic Agent input plugin for Logstash to use SSL/TLS.
For more information, refer to Configure SSL/TLS for the Logstash output.
Memory queue settings
editThe memory queue keeps all events in memory.
The memory queue waits for the output to acknowledge or drop events. If the queue is full, no new events can be inserted into the memory queue. Only after the signal from the output will the queue free up space for more events to be accepted.
The memory queue is controlled by the parameters queue.mem.flush.min_events
and queue.mem.flush.timeout
. If
queue.mem.flush.timeout
is 0s
or queue.mem.flush.min_events
is 0
or 1
then events can be sent by the output as
soon as they are available. If the output supports a bulk_max_size
parameter it controls the
maximum batch size that can be sent.
If queue.mem.flush.min_events
is greater than 1
and queue.mem.flush.timeout
is greater than 0s
, events will only
be sent to the output when the queue contains at least queue.mem.flush.min_events
events or the
queue.mem.flush.timeout
period has expired. In this mode the maximum size batch that that can be sent by the
output is queue.mem.flush.min_events
. If the output supports a bulk_max_size
parameter, values of
bulk_max_size
greater than queue.mem.flush.min_events
have no effect. The value of queue.mem.flush.min_events
should be evenly divisible by bulk_max_size
to avoid sending partial batches to the output.
This sample configuration forwards events to the output if 512 events are available or the oldest available event has been waiting for 5s in the queue:
queue.mem.events: 4096 queue.mem.flush.min_events: 512 queue.mem.flush.timeout: 5s
Setting | Description |
---|---|
The number of events the queue can store. This value should be evenly divisible by Default: |
|
The minimum number of events required for publishing. If this value is set to 0 or 1, events are available to the output immediately. If this value is greater than 1 the output must wait for the queue to accumulate this minimum number of events or for Default: |
|
(int) The maximum wait time for Default: |
Performance tuning settings
editSettings that may affect performance.
Setting | Description |
---|---|
(string) The number of seconds to wait before trying to reconnect to Logstash
after a network error. After waiting Default: |
|
(string) The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. Default: |
|
(int) The maximum number of events to bulk in a single Logstash request. Events can be collected into batches. Elastic Agent will split batches larger than
Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput. Set this value to Default: |
|
(int) The gzip compression level. Set this value to Increasing the compression level reduces network usage but increases CPU usage. Default: |
|
If Default: Example: outputs: default: type: logstash hosts: ["localhost:5044", "localhost:5045"] loadbalance: true |
|
(int) The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped. Set Default: |
|
(int) The number of batches to send asynchronously to Logstash while waiting
for an ACK from Logstash. The output becomes blocking after the specified number of
batches are written. Specify Default: |
|
(boolean) If Default: |
|
(string) The number of seconds to wait for responses from the Logstash server before timing out. Default: |
|
(string) Time to live for a connection to Logstash after which the connection will be reestablished. This setting is useful when Logstash hosts represent load balancers. Because connections to Logstash hosts are sticky, operating behind load balancers can lead to uneven load distribution across instances. Specify a TTL on the connection to achieve equal connection distribution across instances. Default: The |
|
(int) The number of workers per configured host publishing events. Example: If you have two hosts and three workers, in total six workers are started (three for each host). Default: |