Working with plugins

edit

macOS Gatekeeper warnings

Apple’s rollout of stricter notarization requirements affected the notarization of the 7.10.2 Logstash artifacts. If macOS Catalina displays a dialog when you first run Logstash that interrupts it, you will need to take an action to allow it to run. To prevent Gatekeeper checks on the Logstash files, run the following command on the downloaded .tar.gz archive or the directory to which was extracted:

xattr -d -r com.apple.quarantine <archive-or-directory>

For example, if the .tar.gz file was extracted to the default logstash-7.10.2 directory, the command is:

xattr -d -r com.apple.quarantine logstash-7.10.2

Alternatively, you can add a security override if a Gatekeeper popup appears by following the instructions in the How to open an app that hasn’t been notarized or is from an unidentified developer section of Safely open apps on your Mac.

Logstash has a rich collection of input, filter, codec, and output plugins. Check out the Elastic Support Matrix to see which plugins are supported at various levels.

Plugins are available in self-contained packages called gems and hosted on RubyGems.org. Use the plugin manager script--bin/logstash-plugin--to manage plugins:

No internet connection?

edit

If you don’t have an internet connection, check out Offline Plugin Management for information on building, installing, and updating offline plugin packs.

Proxy configuration

edit

Most plugin manager commands require access to the internet to reach RubyGems.org. If your organization is behind a firewall, you can set these environments variables to configure Logstash to use your proxy.

export http_proxy=http://localhost:3128
export https_proxy=http://localhost:3128

Listing plugins

edit

Logstash release packages bundle common plugins. To list the plugins currently available in your deployment:

bin/logstash-plugin list 
bin/logstash-plugin list --verbose 
bin/logstash-plugin list '*namefragment*' 
bin/logstash-plugin list --group output 

Lists all installed plugins

Lists installed plugins with version information

Lists all installed plugins containing a namefragment

Lists all installed plugins for a particular group (input, filter, codec, output)

Adding plugins to your deployment

edit

When you have access to internet, you can retrieve plugins hosted on the RubyGems.orgpublic repository and install them on top of your Logstash installation.

bin/logstash-plugin install logstash-input-github

After a plugin is successfully installed, you can use it in your configuration file.

Updating plugins

edit

Plugins have their own release cycles and are often released independently of Logstash’s core release cycle. Using the update subcommand you can get the latest version of the plugin.

bin/logstash-plugin update 
bin/logstash-plugin update logstash-input-github 

updates all installed plugins

updates only the plugin you specify

Removing plugins

edit

If you need to remove plugins from your Logstash installation:

bin/logstash-plugin remove logstash-input-github

Advanced: Adding a locally built plugin

edit

In some cases, you may want to install plugins which are not yett released and not hosted on RubyGems.org. Logstash provides you the option to install a locally built plugin which is packaged as a ruby gem. Using a file location:

bin/logstash-plugin install /path/to/logstash-output-kafka-1.0.0.gem

Advanced: Using --path.plugins

edit

Using the Logstash --path.plugins flag, you can load a plugin source code located on your file system. Typically this is used by developers who are iterating on a custom plugin and want to test it before creating a ruby gem.

The path needs to be in a specific directory hierarchy: PATH/logstash/TYPE/NAME.rb, where TYPE is inputs filters, outputs or codecs and NAME is the name of the plugin.

# supposing the code is in /opt/shared/lib/logstash/inputs/my-custom-plugin-code.rb
bin/logstash --path.plugins /opt/shared/lib