gelf

edit

This is a community-maintained plugin!

This output generates messages in GELF format. This is most useful if you want to use Logstash to output events to Graylog2.

More information at The Graylog2 GELF specs page

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

gelf {
    host => ...
}

Available configuration options:

Setting Input type Required Default value

chunksize

number

No

1420

codec

codec

No

"plain"

custom_fields

hash

No

{}

full_message

string

No

"%{message}"

host

string

Yes

ignore_metadata

array

No

["@timestamp", "@version", "severity", "host", "source_host", "source_path", "short_message"]

level

array

No

["%{severity}", "INFO"]

port

number

No

12201

sender

string

No

"%{host}"

ship_metadata

boolean

No

true

ship_tags

boolean

No

true

short_message

string

No

"short_message"

workers

number

No

1

Details

edit

 

chunksize

edit
  • Value type is number
  • Default value is 1420

The GELF chunksize. You usually don’t need to change this.

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

custom_fields

edit
  • Value type is hash
  • Default value is {}

The GELF custom field mappings. GELF supports arbitrary attributes as custom fields. This exposes that. Exclude the _ portion of the field name e.g. custom_fields => ['foo_field', 'some_value'] sets _foo_field = some_value.

facility (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • There is no default value for this setting.

The GELF facility. Dynamic values like %{foo} are permitted here; this is useful if you need to use a value from the event as the facility name. Should now be sent as an underscored "additional field" (e.g. \_facility)

file (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • There is no default value for this setting.

The GELF file; this is usually the source code file in your program where the log event originated. Dynamic values like %{foo} are permitted here. Should now be sent as an underscored "additional field" (e.g. \_file).

full_message

edit
  • Value type is string
  • Default value is "%{message}"

The GELF full message. Dynamic values like %{foo} are permitted here.

host

edit
  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

Graylog2 server IP address or hostname.

ignore_metadata

edit
  • Value type is array
  • Default value is ["@timestamp", "@version", "severity", "host", "source_host", "source_path", "short_message"]

Ignore these fields when ship_metadata is set. Typically this lists the fields used in dynamic values for GELF fields.

level

edit
  • Value type is array
  • Default value is ["%{severity}", "INFO"]

The GELF message level. Dynamic values like %{level} are permitted here; useful if you want to parse the log level from an event and use that as the GELF level/severity.

Values here can be integers [0..7] inclusive or any of "debug", "info", "warn", "error", "fatal" (case insensitive). Single-character versions of these are also valid, "d", "i", "w", "e", "f", "u" The following additional severity\_labels from Logstash’s syslog\_pri filter are accepted: "emergency", "alert", "critical", "warning", "notice", and "informational".

line (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • There is no default value for this setting.

The GELF line number; this is usually the line number in your program where the log event originated. Dynamic values like %{foo} are permitted here, but the value should be a number. Should now be sent as an underscored "additional field" (e.g. \_line).

port

edit
  • Value type is number
  • Default value is 12201

Graylog2 server port number.

sender

edit
  • Value type is string
  • Default value is "%{host}"

Allow overriding of the GELF sender field. This is useful if you want to use something other than the event’s source host as the "sender" of an event. A common case for this is using the application name instead of the hostname.

ship_metadata

edit
  • Value type is boolean
  • Default value is true

Should Logstash ship metadata within event object? This will cause Logstash to ship any fields in the event (such as those created by grok) in the GELF messages. These will be sent as underscored "additional fields".

ship_tags

edit
  • Value type is boolean
  • Default value is true

Ship tags within events. This will cause Logstash to ship the tags of an event as the field \_tags.

short_message

edit
  • Value type is string
  • Default value is "short_message"

The GELF short message field name. If the field does not exist or is empty, the event message is taken instead.

workers

edit
  • Value type is number
  • Default value is 1

The number of workers to use for this output. Note that this setting may not be useful for all outputs.