From version 5.0 onward, Watcher is part of X-Pack. For more information, see Alerting on cluster and index events.
« Integrating Watcher with Shield Configuring the Default Throttle Period »
Elastic Docs Elasticsearch Watcher [2.3] Administering Watcher

Integrating Watcher with Logstash

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Integrating Watcher with Logstash

edit

By default, Logstash uses the node protocol setting to ship data to Elasticsearch. When you use the node protocol, the Logstash instance joins the Elasticsearch cluster and shares the cluster state.

Watcher requires the License plugin to be installed on all instances in the cluster, including the Logstash instance. To use Watcher in combination with the Logstash node protocol, you must install the License plugin on top of Logstash. To do this, we’ve created a special Logstash plugin called logstash-output-elasticsearch-plugin. This plugin simply pulls the License jar file (elasticsearch-license-1.0.0.jar) and adds it to the classpath.

If you’re using the Logstash transport or http protocol, you do not need to install the License plugin. The License plugin is only required if you’re using the node protocol.

To install the Logstash License plugin:

  1. Shutdown the Logstash instance(s) that are shipping data to Elasticsearch.

  2. Run bin/plugin install to install the Logstash license plugin:

    bin/plugin install logstash-output-elasticsearch-license
  3. Restart the Logstash instance(s).

Using Logstash for Watch Actions

edit

Integrating Watcher with Logstash provides users a powerful pipeline to further transform and enrich watch payloads. Integrating with Logstash also enables you to send watches to the rich collection of outputs supported by Logstash.

For Logstash to receive data from Watcher, you need to enable the http input. The http input launches a webserver and listens for incoming requests. The Logstash http input supports basic auth and HTTPS.

Once the Logstash http input is enabled, you post data to Logstash with the webhook action.

The http input is built in to Logstash 1.5.2 and above. To use the http input with earlier versions of Logstash, install the logstash-input-http plugin by running bin/plugin install logstash-input-http.

To configure Logstash to listen for incoming HTTP requests, add an http input definition to your Logstash coniguration file:

input {
  http {
    host => "mylogstashhost" 
    port => "8080" 
  }
}

The name of your Logstash HTTP host.

The port the HTTP host listens on.

For more information about using a webhook action to send data to Logstash, see Configuring Webhook Actions.

« Integrating Watcher with Shield Configuring the Default Throttle Period »