Logstash Reference: other versions:
Logstash Introduction
Getting Started with Logstash
- Installing Logstash
- Stashing Your First Event
- Parsing Logs with Logstash
- Stitching Together Multiple Input and Output Plugins
How Logstash Works
- Execution Model
- ECS in Logstash
- Processing Details
Setting Up and Running Logstash
- Logstash Directory Layout
- Logstash Configuration Files
- logstash.yml
- Secrets keystore for secure settings
- Running Logstash from the Command Line
- Running Logstash as a Service on Debian or RPM
- Running Logstash on Docker
- Configuring Logstash for Docker
- Running Logstash on Windows
- Logging
- Shutting Down Logstash
Upgrading Logstash
- Upgrading using package managers
- Upgrading using a direct download
- Upgrading between minor versions
- Upgrading Logstash to 8.0
Creating a Logstash pipeline
- Structure of a pipeline
- Accessing event data and fields
- Using environment variables
- Sending data to Elastic Cloud (hosted Elasticsearch Service)
- Logstash configuration examples
Secure your connection
Advanced Logstash Configurations
- Multiple Pipelines
- Pipeline-to-pipeline communication
- Reloading the Config File
- Managing Multiline Events
- Glob Pattern Support
- Converting Ingest Node Pipelines
Logstash-to-Logstash communication
- Logstash-to-Logstash: Lumberjack output to Beats input
- Logstash-to-Logstash: HTTP output to HTTP input
Managing Logstash
- Centralized Pipeline Management
- Configure Centralized Pipeline Management
Working with Logstash Modules
- ArcSight Module
- Netflow Module (deprecated)
- Azure Module (deprecated)
Working with Filebeat Modules
- Use ingest pipelines for parsing
- Example: Set up Filebeat modules to work with Kafka and Logstash
Working with Winlogbeat Modules
Queues and data resiliency
- Memory queue
- Persistent queues (PQ)
- Dead letter queues (DLQ)
Transforming Data
- Performing Core Operations
- Deserializing Data
- Extracting Fields and Wrangling Data
- Enriching Data with Lookups
Deploying and Scaling Logstash
Performance Tuning
- Performance Troubleshooting
- Tuning and Profiling Logstash Performance
Monitoring Logstash
- Metricbeat collection
- Legacy collection (deprecated)
- Monitoring UI
- Pipeline Viewer UI
- Troubleshooting
Monitoring Logstash with APIs
- Node Info API
- Plugins info API
- Node Stats API
- Hot Threads API
Working with plugins
- Cross-plugin concepts and features
- Generating plugins
- Offline Plugin Management
- Private Gem Repositories
- Event API
Integration plugins
- aws
- elastic_enterprise_search
- jdbc
- kafka
- rabbitmq
Input plugins
- azure_event_hubs
- beats
- cloudwatch
- couchdb_changes
- dead_letter_queue
- elastic_agent
- elasticsearch
- exec
- file
- ganglia
- gelf
- generator
- github
- google_cloud_storage
- google_pubsub
- graphite
- heartbeat
- http
- http_poller
- imap
- irc
- java_generator
- java_stdin
- jdbc
- jms
- jmx
- kafka
- kinesis
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- rabbitmq
- redis
- relp
- rss
- s3
- s3-sns-sqs
- salesforce
- snmp
- snmptrap
- sqlite
- sqs
- stdin
- stomp
- syslog
- tcp
- twitter
- udp
- unix
- varnishlog
- websocket
- wmi
- xmpp
Output plugins
- boundary
- circonus
- cloudwatch
- csv
- datadog
- datadog_metrics
- dynatrace
- elastic_app_search
- elastic_workplace_search
- elasticsearch
- email
- exec
- file
- ganglia
- gelf
- google_bigquery
- google_cloud_storage
- google_pubsub
- graphite
- graphtastic
- http
- influxdb
- irc
- java_stdout
- juggernaut
- kafka
- librato
- loggly
- lumberjack
- metriccatcher
- mongodb
- nagios
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- rabbitmq
- redis
- redmine
- riak
- riemann
- s3
- sink
- sns
- solr_http
- sqs
- statsd
- stdout
- stomp
- syslog
- tcp
- timber
- udp
- webhdfs
- websocket
- xmpp
- zabbix
Filter plugins
- age
- aggregate
- alter
- bytes
- cidr
- cipher
- clone
- csv
- date
- de_dot
- dissect
- dns
- drop
- elapsed
- elasticsearch
- environment
- extractnumbers
- fingerprint
- geoip
- grok
- http
- i18n
- java_uuid
- jdbc_static
- jdbc_streaming
- json
- json_encode
- kv
- memcached
- metricize
- metrics
- mutate
- prune
- range
- ruby
- sleep
- split
- syslog_pri
- threats_classifier
- throttle
- tld
- translate
- truncate
- urldecode
- useragent
- uuid
- wurfl_device_detection
- xml
Codec plugins
- avro
- cef
- cloudfront
- cloudtrail
- collectd
- csv
- dots
- edn
- edn_lines
- es_bulk
- fluent
- graphite
- gzip_lines
- jdots
- java_line
- java_plain
- json
- json_lines
- line
- msgpack
- multiline
- netflow
- nmap
- plain
- protobuf
- rubydebug
Tips and best practices
- JVM settings
Troubleshooting
- Troubleshooting Logstash
- Troubleshooting plugins
- Troubleshooting specific plugins
Contributing to Logstash
- How to write a Logstash input plugin
- How to write a Logstash codec plugin
- How to write a Logstash filter plugin
- How to write a Logstash output plugin
- Logstash Plugins Community Maintainer Guide
- Document your plugin
- Publish your plugin to RubyGems.org
- List your plugin
- Contributing a patch to a Logstash plugin
- Extending Logstash core
Contributing a Java Plugin
- How to write a Java input plugin
- How to write a Java codec plugin
- How to write a Java filter plugin
- How to write a Java output plugin
Glossary of Terms
Breaking changes
- Breaking changes in 8.0
- Breaking changes in 7.0
- Breaking change across PQ versions prior to Logstash 6.3.0
- Breaking changes in 6.0
Release Notes
- Logstash 8.4.3 Release Notes
- Logstash 8.4.2 Release Notes
- Logstash 8.4.1 Release Notes
- Logstash 8.4.0 Release Notes
- Logstash 8.3.3 Release Notes
- Logstash 8.3.2 Release Notes
- Logstash 8.3.1 Release Notes
- Logstash 8.3.0 Release Notes
- Logstash 8.2.3 Release Notes
- Logstash 8.2.2 Release Notes
- Logstash 8.2.1 Release Notes
- Logstash 8.2.0 Release Notes
- Logstash 8.1.3 Release Notes
- Logstash 8.1.2 Release Notes
- Logstash 8.1.1 Release Notes
- Logstash 8.1.0 Release Notes
- Logstash 8.0.1 Release Notes
- Logstash 8.0.0 Release Notes
- Logstash 8.0.0-rc2 Release Notes
- Logstash 8.0.0-rc1 Release Notes
- Logstash 8.0.0-beta1 Release Notes
- Logstash 8.0.0-alpha2 Release Notes
- Logstash 8.0.0-alpha1 Release Notes

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Logstash 8.4.1 Release Notes Logstash 8.3.3 Release Notes »

› ›

Logstash 8.4.0 Release Notes

edit

Logstash 8.4.0 Release Notes

edit

New features and enhancements

edit

Improvements to the dead letter queue (DLQ)

edit

This release brings significant improvements to help users manage their dead letter queues, including:

A new clean_consumed option on the Dead Letter Queue input plugin. It can automatically delete segments from a dead letter queue after all events in the segment have been consumed by a Logstash pipeline.
A new age retention policy, enabling the automatic removal of segments from a dead letter queue based on the age of events within those segments.
Additional dead letter queue metrics available from the monitoring API #14324

New AWS integration plugin

edit

Several AWS plugins are now bundled in a single AWS integration plugin, enabling easier maintenance and upgrades of AWS-based plugins. They all use version 3 of the AWS Ruby SDK.

JDK17 support

edit

Logstash now comes bundled with JDK17, while still providing compatibility with user-supplied JDK11. The new JDK includes an update pertaining to a potential security vulnerability. Please see our security statement for details.

Logstash M1 download

edit

Logstash is now available for download on M1 equipped MacOS devices, and comes bundled with M1 native JDK17.

Notable issues fixed

edit

Remove /etc/systemd/system/logstash.service only when file is installed by Logstash #14200
Fix Arcsight module compatibility with Elasticsearch 8.x #13874
Ensure that timestamp values are serialized with a minimum of 3 decimal places to guarantee that millisecond precision timestamps match those from Logstash 7.x #14299
Fix issue with native Java plugin thread-safety and concurrency #14360
Allow the ability to use Ruby codecs inside native Java plugins #13523

Updates to dependencies

edit

The bundled JDK has been updated to 17.0.4+8 #14427
The version of Sinatra has been updated to 2.2.2 #14454
The version of Nokogiri has been updated to 1.13.8 #14454

Plugin releases

edit

Dead Letter Queue Input - 2.0.0

Introduce the boolean clean_consumed setting to enable the automatic removal of completely consumed segments. Requires Logstash 8.4.0 or above #43
Expose metrics about segments and events cleaned by this plugin #45

Xml Filter - 4.2.0

Update Nokogiri dependency version #78

Aws Integration Plugin - 7.0.0

This new integration plugin incorporates and replaces the use of the these individual plugins: individual plugins:
- logstash-input-s3
- logstash-input-sqs
- logstash-mixin-aws
- logstash-output-cloudwatch
- logstash-output-s3
- logstash-output-sns
- logstash-output-sqs
This replaces the use of the single combined aws 2.x sdk gem, with the modularized aws 3.x gems.

« Logstash 8.4.1 Release Notes Logstash 8.3.3 Release Notes »

On this page

New features and enhancements
Improvements to the dead letter queue (DLQ)
New AWS integration plugin
JDK17 support
Logstash M1 download
Notable issues fixed
Updates to dependencies
Plugin releases

Was this helpful?

Feedback

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

Logstash 8.4.0 Release Notes

Logstash 8.4.0 Release Notes

New features and enhancements

Improvements to the dead letter queue (DLQ)

New AWS integration plugin

JDK17 support

Logstash M1 download

Notable issues fixed

Updates to dependencies

Plugin releases

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards