Structure of a Config File
editStructure of a Config File
editA Logstash config file has a separate section for each type of plugin you want to add to the event processing pipeline. For example:
# This is a comment. You should use comments to describe # parts of your configuration. input { ... } filter { ... } output { ... }
Each section contains the configuration options for one or more plugins. If you specify multiple filters, they are applied in the order of their appearance in the configuration file.
Plugin Configuration
editThe configuration of a plugin consists of the plugin name followed by a block of settings for that plugin. For example, this input section configures two file inputs:
input { file { path => "/var/log/messages" type => "syslog" } file { path => "/var/log/apache/access.log" type => "apache" } }
In this example, two settings are configured for each of the file inputs: path and type.
The settings you can configure vary according to the plugin type. For information about each plugin, see Input Plugins, Output Plugins, Filter Plugins, and Codec Plugins.
Value Types
editA plugin can require that the value for a setting be a certain type, such as boolean or hash. The following value types are supported.
Array
editAn array can be a single string value or multiple values. If you specify the same setting multiple times, it appends to the array.
Example:
path => [ "/var/log/messages", "/var/log/*.log" ] path => "/data/mysql/mysql.log"
This example configures path
to be an array that contains an element for each of the three strings.
Boolean
editA boolean must be either true
or false
. Note that the true
and false
keywords
are not enclosed in quotes.
Example:
ssl_enable => true
Bytes
editA bytes field is a string field that represents a valid unit of bytes. It is a convenient way to declare specific sizes in your plugin options. Both SI (k M G T P E Z Y) and Binary (Ki Mi Gi Ti Pi Ei Zi Yi) units are supported. Binary units are in base-1024 and SI units are in base-1000. This field is case-insensitive and accepts space between the value and the unit. If no unit is specified, the integer string represents the number of bytes.
Examples:
my_bytes => "1113" # 1113 bytes my_bytes => "10MiB" # 10485760 bytes my_bytes => "100kib" # 102400 bytes my_bytes => "180 mb" # 180000000 bytes
Codec
editA codec is the name of Logstash codec used to represent the data. Codecs can be used in both inputs and outputs.
Input codecs provide a convenient way to decode your data before it enters the input. Output codecs provide a convenient way to encode your data before it leaves the output. Using an input or output codec eliminates the need for a separate filter in your Logstash pipeline.
Example:
codec => "json"
Hash
editA hash is a collection of key value pairs specified in the format "field1" => "value1"
.
Note that multiple key value entries are separated by spaces rather than commas.
Example:
match => { "field1" => "value1" "field2" => "value2" ... }
Number
editNumbers must be valid numeric values (floating point or integer).
Example:
port => 33
Password
editA password is a string with a single value that is not logged or printed.
Example:
my_password => "password"
Path
editA path is a string that represents a valid operating system path.
Example:
my_path => "/tmp/logstash"
String
editA string must be a single character sequence. Note that string values are enclosed in quotes.
Example:
name => "Hello world"
Comments
editComments are the same as in perl, ruby, and python. A comment starts with a # character, and does not need to be at the beginning of a line. For example:
# this is a comment input { # comments can appear at the end of a line, too # ... }