elasticsearch

edit

This output lets you store logs in Elasticsearch and is the most recommended output for Logstash. If you plan on using the Kibana web interface, you’ll need to use this output.

VERSION NOTE: Your Elasticsearch cluster must be running Elasticsearch 1.0.0 or later.

If you want to set other Elasticsearch options that are not exposed directly as configuration options, there are two methods:

  • Create an elasticsearch.yml file in the $PWD of the Logstash process
  • Pass in es.* java properties (java -Des.node.foo= or ruby -J-Des.node.foo=)

With the default protocol setting ("node"), this plugin will join your Elasticsearch cluster as a client node, so it will show up in Elasticsearch’s cluster status.

You can learn more about Elasticsearch at https://www.elastic.co/products/elasticsearch

Operational Notes

edit

If using the default protocol setting ("node"), your firewalls might need to permit port 9300 in both directions (from Logstash to Elasticsearch, and Elasticsearch to Logstash)

Retry Policy

edit

By default all bulk requests to ES are synchronous. Not all events in the bulk requests always make it successfully. For example, there could be events which are not formatted correctly for the index they are targeting (type mismatch in mapping). So that we minimize loss of events, we have a specific retry policy in place. We retry all events which fail to be reached by Elasticsearch for network related issues. We retry specific events which exhibit errors under a separate policy described below. Events of this nature are ones which experience ES error codes described as retryable errors.

Retryable Errors:

  • 429, Too Many Requests (RFC6585)
  • 503, The server is currently unable to handle the request due to a temporary overloading or maintenance of the server.

Here are the rules of what is retried when:

  • Block and retry all events in bulk response that experiences transient network exceptions until a successful submission is received by Elasticsearch.
  • Retry subset of sent events which resulted in ES errors of a retryable nature which can be found in RETRYABLE_CODES
  • For events which returned retryable error codes, they will be pushed onto a separate queue for retrying events. events in this queue will be retried a maximum of 5 times by default (configurable through :max_retries). The size of this queue is capped by the value set in :retry_max_items.
  • Events from the retry queue are submitted again either when the queue reaches its max size or when the max interval time is reached, which is set in :retry_max_interval.
  • Events which are not retryable or have reached their max retry count are logged to stderr.

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

elasticsearch {
}

Available configuration options:

Setting Input type Required Default value

action

string

No

"index"

bind_host

string

No

bind_port

number

No

cacert

a valid filesystem path

No

cluster

string

No

codec

codec

No

"plain"

doc_as_upsert

boolean

No

false

document_id

string

No

document_type

string

No

embedded

boolean

No

false

embedded_http_port

string

No

"9200-9300"

flush_size

number

No

5000

host

array

No

idle_flush_time

number

No

1

index

string

No

"logstash-%{+YYYY.MM.dd}"

keystore

a valid filesystem path

No

keystore_password

password

No

manage_template

boolean

No

true

max_retries

number

No

3

node_name

string

No

password

password

No

path

string

No

"/"

port

string

No

protocol

string, one of ["node", "transport", "http"]

No

node

proxy

<<,>>

No

retry_max_interval

number

No

5

retry_max_items

number

No

5000

routing

string

No

sniffing

boolean

No

false

ssl

boolean

No

false

ssl_certificate_verification

boolean

No

true

template

a valid filesystem path

No

template_name

string

No

"logstash"

template_overwrite

boolean

No

false

truststore

a valid filesystem path

No

truststore_password

password

No

upsert

string

No

""

user

string

No

workers

number

No

1

Details

edit

 

action

edit
  • Value can be any of: index, delete, create, update
  • Default value is index

What does each action do?

  • index: indexes a document (an event from Logstash).
  • delete: deletes a document by id
  • create: indexes a document, fails if a document by that id already exists in the index.
  • update: updates a document by id following action is not supported by HTTP protocol
  • create_unless_exists: creates a document, fails if no id is provided

For more details on actions, check out the Elasticsearch bulk API documentation

bind_host

edit
  • Value type is string
  • There is no default value for this setting.

The name/address of the host to bind to for Elasticsearch clustering

bind_port

edit
  • Value type is number
  • There is no default value for this setting.

This is only valid for the node protocol.

The port for the node to listen on.

cacert

edit
  • Value type is path
  • There is no default value for this setting.

The .cer or .pem file to validate the server’s certificate

cluster

edit
  • Value type is string
  • There is no default value for this setting.

The name of your cluster if you set it on the Elasticsearch side. Useful for discovery when using node or transport protocols. By default, it looks for a cluster named elasticsearch.

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

doc_as_upsert

edit
  • Value type is boolean
  • Default value is false

Enable doc_as_upsert for update mode create a new document with source if document_id doesn’t exists

document_id

edit
  • Value type is string
  • There is no default value for this setting.

The document ID for the index. Useful for overwriting existing entries in Elasticsearch with the same ID.

document_type

edit
  • Value type is string
  • There is no default value for this setting.

The document type to write events to. Generally you should try to write only similar events to the same type. String expansion %{foo} works here. Unless you set document_type, the event type will be used if it exists otherwise the document type will be assigned the value of logs

embedded

edit
  • Value type is boolean
  • Default value is false

Run the Elasticsearch server embedded in this process. This option is useful if you want to run a single Logstash process that handles log processing and indexing; it saves you from needing to run a separate Elasticsearch process. An example use case is proof-of-concept testing. WARNING: This is not recommended for production use!

embedded_http_port

edit
  • Value type is string
  • Default value is "9200-9300"

If you are running the embedded Elasticsearch server, you can set the http port it listens on here; it is not common to need this setting changed from default.

exclude_tags (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is array
  • Default value is []

Only handle events without any of these tags. Optional.

flush_size

edit
  • Value type is number
  • Default value is 5000

This plugin uses the bulk index api for improved indexing performance. To make efficient bulk api calls, we will buffer a certain number of events before flushing that out to Elasticsearch. This setting controls how many events will be buffered before sending a batch of events.

host

edit
  • Value type is array
  • There is no default value for this setting.

For the node protocol, if you do not specify host, it will attempt to use multicast discovery to connect to Elasticsearch. If multicast is disabled in Elasticsearch, you must include the hostname or IP address of the host(s) to use for Elasticsearch unicast discovery. Remember the node protocol uses the transport address (eg. 9300, not 9200). "127.0.0.1" ["127.0.0.1:9300","127.0.0.2:9300"] When setting hosts for node protocol, it is important to confirm that at least one non-client node is listed in the host list. Also keep in mind that the host parameter when used with the node protocol is for discovery purposes only (not for load balancing). When multiple hosts are specified, it will contact the first host to see if it can use it to discover the cluster. If not, then it will contact the second host in the list and so forth. With the node protocol, Logstash will join the Elasticsearch cluster as a node client (which has a copy of the cluster state) and this node client is the one that will automatically handle the load balancing of requests across data nodes in the cluster. If you are looking for a high availability setup, our recommendation is to use the transport protocol (below), set up multiple client nodes and list the client nodes in the host parameter.

For the transport protocol, it will load balance requests across the hosts specified in the host parameter. Remember the transport protocol uses the transport address (eg. 9300, not 9200). "127.0.0.1" ["127.0.0.1:9300","127.0.0.2:9300"] There is also a sniffing option (see below) that can be used with the transport protocol to instruct it to use the host to sniff for "alive" nodes in the cluster and automatically use it as the hosts list (but will skip the dedicated master nodes). If you do not use the sniffing option, it is important to exclude dedicated master nodes from the host list to prevent Logstash from sending bulk requests to the master nodes. So this parameter should only reference either data or client nodes.

For the http protocol, it will load balance requests across the hosts specified in the host parameter. Remember the http protocol uses the http address (eg. 9200, not 9300). "127.0.0.1" ["127.0.0.1:9200","127.0.0.2:9200"] It is important to exclude dedicated master nodes from the host list to prevent LS from sending bulk requests to the master nodes. So this parameter should only reference either data or client nodes.

idle_flush_time

edit
  • Value type is number
  • Default value is 1

The amount of time since last flush before a flush is forced.

This setting helps ensure slow event rates don’t get stuck in Logstash. For example, if your flush_size is 100, and you have received 10 events, and it has been more than idle_flush_time seconds since the last flush, Logstash will flush those 10 events automatically.

This helps keep both fast and slow log streams moving along in near-real-time.

index

edit
  • Value type is string
  • Default value is "logstash-%{+YYYY.MM.dd}"

The index to write events to. This can be dynamic using the %{foo} syntax. The default value will partition your indices by day so you can more easily delete old data or only search specific date ranges. Indexes may not contain uppercase characters. For weekly indexes ISO 8601 format is recommended, eg. logstash-%{+xxxx.ww}

index_type (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • There is no default value for this setting.

The index type to write events to. Generally you should try to write only similar events to the same type. String expansion %{foo} works here.

Deprecated in favor of document_type field.

keystore

edit
  • Value type is path
  • There is no default value for this setting.

The keystore used to present a certificate to the server It can be either .jks or .p12

keystore_password

edit
  • Value type is password
  • There is no default value for this setting.

Set the truststore password

manage_template

edit
  • Value type is boolean
  • Default value is true

Starting in Logstash 1.3 (unless you set option manage_template to false) a default mapping template for Elasticsearch will be applied, if you do not already have one set to match the index pattern defined (default of logstash-%{+YYYY.MM.dd}), minus any variables. For example, in this case the template will be applied to all indices starting with logstash-*

If you have dynamic templating (e.g. creating indices based on field names) then you should set manage_template to false and use the REST API to upload your templates manually.

max_inflight_requests (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is number
  • Default value is 50

This setting no longer does anything. It exists to keep config validation from failing. It will be removed in future versions.

max_retries

edit
  • Value type is number
  • Default value is 3

Set max retry for each event

node_name

edit
  • Value type is string
  • There is no default value for this setting.

The node name Elasticsearch will use when joining a cluster.

By default, this is generated internally by the ES client.

password

edit
  • Value type is password
  • There is no default value for this setting.

path

edit
  • Value type is string
  • Default value is "/"

HTTP Path at which the Elasticsearch server lives. Use this if you must run ES behind a proxy that remaps the root path for the Elasticsearch HTTP API lives. This option is ignored for non-HTTP transports.

port

edit
  • Value type is string
  • There is no default value for this setting.

The port for Elasticsearch transport to use.

If you do not set this, the following defaults are used: * protocol => http - port 9200 * protocol => transport - port 9300-9305 * protocol => node - port 9300-9305

protocol

edit
  • Value can be any of: node, transport, http
  • Default value is node.

Choose the protocol used to talk to Elasticsearch.

The http protocol will use the Elasticsearch REST/HTTP interface to talk to elasticsearch. We strongly encourage the use of HTTP over the node protocol for a number of reasons. HTTP is only marginally slower, yet far easier to administer and work with. When using the HTTP protocol one may upgrade Elasticsearch versions without having to upgrade Logstash in lock-step

The node protocol (default) will connect to the cluster as a normal Elasticsearch node (but will not store data). If you use the node protocol, you must permit bidirectional communication on the port 9300 (or whichever port you have configured).

If you do not specify the host parameter, it will use multicast for Elasticsearch discovery. While this may work in a test/dev environment where multicast is enabled in Elasticsearch, we strongly recommend disabling multicast in Elasticsearch. To connect to an Elasticsearch cluster with multicast disabled, you must include the host parameter (see relevant section above).

The transport protocol will connect to the host you specify and will not show up as a node in the Elasticsearch cluster. This is useful in situations where you cannot permit connections outbound from the Elasticsearch cluster to this Logstash server.

All protocols will use bulk requests when talking to Elasticsearch.

proxy

edit
  • Value type is string
  • There is no default value for this setting.

Set the address of a forward HTTP proxy. Must be used with the http protocol.Can be either a string, such as http://localhost:123 or a hash in the form {host: 'proxy.org' port: 80 scheme: 'http'}

Note, this is NOT a SOCKS proxy, but a plain HTTP proxy

retry_max_interval

edit
  • Value type is number
  • Default value is 5

Set max interval between bulk retries

retry_max_items

edit
  • Value type is number
  • Default value is 5000

Set retry policy for events that failed to send

routing

edit
  • Value type is string
  • There is no default value for this setting.

A routing override to be applied to all processed events. This can be dynamic using the %{foo} syntax.

sniffing

edit
  • Value type is boolean
  • Default value is false

Enable cluster sniffing (transport only) Asks host for the list of all cluster nodes and adds them to the hosts list

ssl

edit
  • Value type is boolean
  • Default value is false

SSL Configurations (only valid when protocol is HTTP)

Enable SSL

ssl_certificate_verification

edit
  • Value type is boolean
  • Default value is true

Validate the server’s certificate. Disabling this severely compromises security. For more information read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

tags (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is array
  • Default value is []

Only handle events with all of these tags. Optional.

template

edit
  • Value type is path
  • There is no default value for this setting.

You can set the path to your own template here, if you so desire. If not set, the included template will be used.

template_name

edit
  • Value type is string
  • Default value is "logstash"

This configuration option defines how the template is named inside Elasticsearch. Note that if you have used the template management features and subsequently change this, you will need to prune the old template manually, e.g.

curl -XDELETE <http://localhost:9200/_template/OldTemplateName?pretty>

where OldTemplateName is whatever the former setting was.

template_overwrite

edit
  • Value type is boolean
  • Default value is false

Overwrite the current template with whatever is configured in the template and template_name directives.

truststore

edit
  • Value type is path
  • There is no default value for this setting.

The JKS truststore to validate the server’s certificate Use either :truststore or :cacert

truststore_password

edit
  • Value type is password
  • There is no default value for this setting.

Set the truststore password

type (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this output will only act on messages with the same type. See any input plugin’s type attribute for more. Optional.

upsert

edit
  • Value type is string
  • Default value is ""

Set upsert content for update mode create a new document with this parameter as json string if document_id doesn’t exists

user

edit
  • Value type is string
  • There is no default value for this setting.

Username and password (only valid when protocol is HTTP; this setting works with HTTP or HTTPS auth)

workers

edit
  • Value type is number
  • Default value is 1

The number of workers to use for this output. Note that this setting may not be useful for all outputs.