Logstash input plugin

edit

For other versions, see the Versioned plugin docs.

Getting help

edit

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

edit

Listen for events that are sent by a Logstash output plugin in a pipeline that may be in another process or on another host. The upstream output must have a TCP route to the port (defaults to 9800) on an interface that this plugin is bound to.

Sending events to this input by any means other than plugins-outputs-logstash is neither advised nor supported. We will maintain cross-compatibility with any two supported versions of output/input pair and reserve the right to change details such as protocol and encoding.

Minimum Configuration

edit
SSL Enabled SSL Disabled
input {
  logstash {
    ssl_keystore_path
         => "/path/to/logstash.p12"
    ssl_keystore_password
         => "${PASS}"
  }
}
input {
  logstash {
    ssl_enabled => false
  }
}

Configuration Concepts

edit

This input plugin needs to be configured to bind to a TCP port, and can be constrained to bind to a particular interface by providing the IP to host.

Security: SSL Identity

edit

Unless SSL is disabled, this plugin needs to be configured with identity material:

Security: SSL Trust

edit

When communicating over SSL, this plugin can be configured to either request or require that connecting clients present their own identity claims with ssl_client_authentication.

Certificates that are presented by clients are validated by default using the system trust store to ensure that they are currently-valid and trusted, and that the client can prove possession of its associated private key. You can provide an alternate source of trust with:

Client-certificate verification does not verify identity claims on the presented certificate, such as whether the certificate includes a Subject Alt Name matching the IP address from which the client is connecting.

Security: Credentials

edit

You can also configure this plugin to require a specific username/password be provided by configuring username and password. Doing so requires connecting logstash-output plugin clients to provide matching username and password.

when SSL is disabled, data and credentials will be received in clear-text.

Logstash Input Configuration Options

edit

This plugin supports the following configuration options plus the Common options described later.

Also see Common options for a list of options supported by all input plugins.

 

host

edit
  • Value type is a string ip address
  • Default value is 0.0.0.0 (all interfaces)

Specify which interface to listen on by providing its ip address. By default, this input listens on all available interfaces.

password

edit
  • Value type is password
  • There is no default value for this setting.

Password for password-based authentication. Requires username.

port

edit
  • Value type is a number port
  • Default value is 9800

Specify which port to listen on.

ssl_certificate

edit
  • Value type is path
  • There is no default value for this setting.
  • When present, ssl_key and ssl_key_passphrase are also required.
  • Cannot be combined with configurations that disable SSL.

Path to a PEM-encoded certificate or certificate chain with which to identify this plugin to connecting clients. The certificate SHOULD include identity claims about the ip address or hostname that clients use to establish a connection.

ssl_certificate_authorities

edit

One or more PEM-encoded files defining certificate authorities for use in client authentication. This setting can be used to override the system trust store for verifying the SSL certificate presented by clients.

ssl_client_authentication

edit
  • Value can be any of:

    • none: do not request client’s certificate, or validate certificates that are presented
    • optional: request client’s certificate, and validate it against our trust authorities if-and-only-if it is presented
    • required: require a valid certificate from the client that is signed by a trusted certificate authority
  • Default value is "none"

By default the server doesn’t do any client authentication. This means that connections from clients are private when SSL is enabled, but that this input will allow SSL connections from any client. If you wish to configure this plugin to reject connections from untrusted hosts, you will need to configure this plugin to authenticate clients, and may also need to configure its source of trust.

ssl_enabled

edit
  • Value type is boolean
  • Default value is true

SSL is enabled by default, which requires configuring this plugin to present its identity.

You can disable SSL with +ssl_enabled => false+. When disabled, setting any ssl_* configuration causes configuration failure.

ssl_key

edit
  • Value type is path
  • There is no default value for this setting.
  • Required when connection identity is configured with ssl_certificate.
  • Cannot be combined with configurations that disable SSL.

A path to a PEM-encoded encrypted PKCS8 SSL certificate key.

ssl_keystore_password

edit
  • Value type is password
  • There is no default value for this setting.
  • Required when connection identity is configured with ssl_keystore_path.
  • Cannot be combined with configurations that disable SSL.

Password for the ssl_keystore_path

ssl_keystore_path

edit
  • Value type is path
  • There is no default value for this setting.
  • When present, ssl_keystore_password is also required.
  • Cannot be combined with configurations that disable SSL.

A path to a JKS- or PKCS12-formatted keystore with which to identify this plugin to Elasticsearch.

ssl_key_passphrase

edit
  • Value type is password
  • There is no default value for this setting.
  • Required when connection identity is configured with ssl_certificate.
  • Cannot be combined with configurations that disable SSL.

A password or passphrase of the ssl_key.

username

edit
  • Value type is string
  • There is no default value for this setting.

Username for password-based authentication. When this input plugin is configured with a username, it also requires a password, and any upstream logstash-output plugin must also be configured with a matching username/password pair.

when SSL is disabled, credentials will be transmitted in clear-text.

Common options

edit

These configuration options are supported by all input plugins:

Setting Input type Required

add_field

hash

No

enable_metric

boolean

No

id

string

No

tags

array

No

type

string

No

add_field

edit
  • Value type is hash
  • Default value is {}

Add a field to an event

enable_metric

edit
  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 logstash inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {
  logstash {
    id => "my_plugin_id"
  }
}

Variable substitution in the id field only supports environment variables and does not support the use of values from the secret store.

tags

edit
  • Value type is array
  • There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

type

edit
  • Value type is string
  • There is no default value for this setting.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.