gelf
editgelf
editThis is a community-maintained plugin!
This output generates messages in GELF format. This is most useful if you want to use Logstash to output events to Graylog2.
More information at The Graylog2 GELF specs page
Synopsis
editThis plugin supports the following configuration options:
Required configuration options:
gelf { host => ... }
Available configuration options:
Setting | Input type | Required | Default value |
---|---|---|---|
No |
|
||
No |
|
||
No |
|
||
No |
|
||
Yes |
|||
No |
|
||
No |
|
||
No |
|
||
No |
|
||
No |
|
||
No |
|
||
No |
|
||
No |
|
Details
edit
chunksize
edit- Value type is number
-
Default value is
1420
The GELF chunksize. You usually don’t need to change this.
codec
edit- Value type is codec
-
Default value is
"plain"
The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.
custom_fields
edit- Value type is hash
-
Default value is
{}
The GELF custom field mappings. GELF supports arbitrary attributes as custom
fields. This exposes that. Exclude the _
portion of the field name
e.g. custom_fields => ['foo_field', 'some_value']
sets _foo_field
= some_value
.
facility
(DEPRECATED)
edit- DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
- Value type is string
- There is no default value for this setting.
The GELF facility. Dynamic values like %{foo}
are permitted here; this
is useful if you need to use a value from the event as the facility name.
Should now be sent as an underscored "additional field" (e.g. \_facility
)
file
(DEPRECATED)
edit- DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
- Value type is string
- There is no default value for this setting.
The GELF file; this is usually the source code file in your program where
the log event originated. Dynamic values like %{foo}
are permitted here.
Should now be sent as an underscored "additional field" (e.g. \_file
).
full_message
edit- Value type is string
-
Default value is
"%{message}"
The GELF full message. Dynamic values like %{foo}
are permitted here.
host
edit- This is a required setting.
- Value type is string
- There is no default value for this setting.
Graylog2 server IP address or hostname.
ignore_metadata
edit- Value type is array
-
Default value is
["@timestamp", "@version", "severity", "host", "source_host", "source_path", "short_message"]
Ignore these fields when ship_metadata
is set. Typically this lists the
fields used in dynamic values for GELF fields.
level
edit- Value type is array
-
Default value is
["%{severity}", "INFO"]
The GELF message level. Dynamic values like %{level}
are permitted here;
useful if you want to parse the log level from an event and use that
as the GELF level/severity.
Values here can be integers [0..7] inclusive or any of "debug", "info", "warn", "error", "fatal" (case insensitive). Single-character versions of these are also valid, "d", "i", "w", "e", "f", "u" The following additional severity\_labels from Logstash’s syslog\_pri filter are accepted: "emergency", "alert", "critical", "warning", "notice", and "informational".
line
(DEPRECATED)
edit- DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
- Value type is string
- There is no default value for this setting.
The GELF line number; this is usually the line number in your program where
the log event originated. Dynamic values like %{foo}
are permitted here, but the
value should be a number.
Should now be sent as an underscored "additional field" (e.g. \_line
).
sender
edit- Value type is string
-
Default value is
"%{host}"
Allow overriding of the GELF sender
field. This is useful if you
want to use something other than the event’s source host as the
"sender" of an event. A common case for this is using the application name
instead of the hostname.
ship_metadata
edit- Value type is boolean
-
Default value is
true
Should Logstash ship metadata within event object? This will cause Logstash to ship any fields in the event (such as those created by grok) in the GELF messages. These will be sent as underscored "additional fields".
ship_tags
edit- Value type is boolean
-
Default value is
true
Ship tags within events. This will cause Logstash to ship the tags of an
event as the field \_tags
.