Logstash output settings
editLogstash output settings
editSpecify these settings to send data over a secure connection to Logstash. You must also configure a Logstash pipeline that reads encrypted data from Elastic Agents and sends the data to Elasticsearch. Follow the in-product steps to configure the Logstash pipeline.
In the Fleet Output settings, make sure that the Logstash output type is selected.
Before using the Logstash output, you need to make sure that for any integrations that have been added to your Elastic Agent policy, the integration assets have been installed on the destination cluster. Refer to Install and uninstall Elastic Agent integration assets for the steps to add integration assets.
To learn how to generate certificates, refer to Configure SSL/TLS for the Logstash output.
The addresses your Elastic Agents will use to connect to Logstash. Use the format
Examples:
Refer to the Fleet Server documentation for default ports and other configuration details. |
|
The CA certificate to use to connect to Logstash. This is the CA used to generate the certificate and key for Logstash. Copy and paste in the full contents for the CA certificate. This setting is optional. |
|
The certificate generated for the client. Copy and paste in the full contents of the certificate. This is the certificate that all the agents will use to connect to Logstash. In cases where each client has a unique certificate, the local path to that certificate can be placed here. The agents will pick the certificate in that location when establishing a connection to Logstash. |
|
The private key generated for the client. This must be in PKCS 8 key. Copy and paste in the full contents of the certificate key. This is the certificate key that all the agents will use to connect to Logstash. In cases where each client has a unique certificate key, the local path to that certificate key can be placed here. The agents will pick the certificate key in that location when establishing a connection to Logstash. To prevent unauthorized access the certificate key is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the key as plain text in the agent policy definition. Secret storage requires Fleet Server version 8.12 or higher. Note that this setting can also be stored as a secret value or as plain text for preconfigured outputs. See Preconfiguration settings in the Kibana Guide to learn more. |
|
Select a proxy URL for Elastic Agent to connect to Logstash. To learn about proxy configuration, refer to Using a proxy server with Elastic Agent and Fleet. |
|
YAML settings that will be added to the Logstash output section of each policy that uses this output. Make sure you specify valid YAML. The UI does not currently provide validation. See Advanced YAML configuration for descriptions of the available settings. |
|
When this setting is on, Elastic Agents use this output to send data if no other output is set in the agent policy. Output to Logstash is not supported for agent integrations in a policy used by Fleet Server or APM. |
|
When this setting is on, Elastic Agents use this output to send agent monitoring data if no other output is set in the agent policy. Output to Logstash is not supported for agent monitoring in a policy used by Fleet Server or APM. |
Advanced YAML configuration
editSetting | Description |
---|---|
(string) The number of seconds to wait before trying to reconnect to Logstash
after a network error. After waiting Default: |
|
(string) The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. Default: |
|
(int) The maximum number of events to bulk in a single Logstash request. Events can be collected into batches. Elastic Agent will split batches larger than
Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput. Set this value to Default: |
|
(int) The gzip compression level. Set this value to Increasing the compression level reduces network usage but increases CPU usage. |
|
(boolean) Configures escaping of HTML in strings. Set to Default: |
|
(string) The index root name to write events to. |
|
If Default: Example: outputs: default: type: logstash hosts: ["localhost:5044", "localhost:5045"] loadbalance: true |
|
(int) The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped. Set Default: |
|
(int) The number of batches to send asynchronously to Logstash while waiting
for an ACK from Logstash. The output becomes blocking after the specified number of
batches are written. Specify Default: |
|
(boolean) Determines whether Logstash hostnames are resolved locally when using a
proxy. If Default: |
|
The number of events the queue can store. This value should be evenly divisible by Default: |
|
The minimum number of events required for publishing. If this value is set to 0 or 1, events are available to the output immediately. If this value is greater than 1 the output must wait for the queue to accumulate this minimum number of events or for Default: |
|
(int) The maximum wait time for Default: |
|
(boolean) If Default: |
|
(string) The number of seconds to wait for responses from the Logstash server before timing out. Default: |
|
(string) Time to live for a connection to Logstash after which the connection will be reestablished. This setting is useful when Logstash hosts represent load balancers. Because connections to Logstash hosts are sticky, operating behind load balancers can lead to uneven load distribution across instances. Specify a TTL on the connection to achieve equal connection distribution across instances. Default: The |
|
(int) The number of workers per configured host publishing events. Example: If you have two hosts and three workers, in total six workers are started (three for each host). Default: |