- Logstash Reference: other versions:
- Logstash Introduction
- Getting Started with Logstash
- How Logstash Works
- Setting Up and Running Logstash
- Logstash Directory Layout
- Logstash Configuration Files
- logstash.yml
- Secrets keystore for secure settings
- Running Logstash from the Command Line
- Running Logstash as a Service on Debian or RPM
- Running Logstash on Docker
- Configuring Logstash for Docker
- Running Logstash on Kubernetes
- Running Logstash on Windows
- Logging
- Shutting Down Logstash
- Upgrading Logstash
- Creating a Logstash pipeline
- Secure your connection
- Advanced Logstash Configurations
- Logstash-to-Logstash communication
- Managing Logstash
- Using Logstash with Elastic Integrations
- Working with Logstash Modules
- Working with Filebeat Modules
- Working with Winlogbeat Modules
- Queues and data resiliency
- Transforming Data
- Deploying and Scaling Logstash
- Managing GeoIP Databases
- Performance tuning
- Monitoring Logstash with Elastic Agent
- Monitoring Logstash (legacy)
- Monitoring Logstash with APIs
- Working with plugins
- Integration plugins
- Input plugins
- azure_event_hubs
- beats
- cloudwatch
- couchdb_changes
- dead_letter_queue
- elastic_agent
- elastic_serverless_forwarder
- elasticsearch
- exec
- file
- ganglia
- gelf
- generator
- github
- google_cloud_storage
- google_pubsub
- graphite
- heartbeat
- http
- http_poller
- imap
- irc
- java_generator
- java_stdin
- jdbc
- jms
- jmx
- kafka
- kinesis
- logstash
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- rabbitmq
- redis
- relp
- rss
- s3
- s3-sns-sqs
- salesforce
- snmp
- snmptrap
- sqlite
- sqs
- stdin
- stomp
- syslog
- tcp
- udp
- unix
- varnishlog
- websocket
- wmi
- xmpp
- Output plugins
- boundary
- circonus
- cloudwatch
- csv
- datadog
- datadog_metrics
- dynatrace
- elastic_app_search
- elastic_workplace_search
- elasticsearch
- exec
- file
- ganglia
- gelf
- google_bigquery
- google_cloud_storage
- google_pubsub
- graphite
- graphtastic
- http
- influxdb
- irc
- java_stdout
- juggernaut
- kafka
- librato
- logstash
- loggly
- lumberjack
- metriccatcher
- mongodb
- nagios
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- rabbitmq
- redis
- redmine
- riak
- riemann
- s3
- sink
- sns
- solr_http
- sqs
- statsd
- stdout
- stomp
- syslog
- tcp
- timber
- udp
- webhdfs
- websocket
- xmpp
- zabbix
- Filter plugins
- age
- aggregate
- alter
- bytes
- cidr
- cipher
- clone
- csv
- date
- de_dot
- dissect
- dns
- drop
- elapsed
- elastic_integration
- elasticsearch
- environment
- extractnumbers
- fingerprint
- geoip
- grok
- http
- i18n
- java_uuid
- jdbc_static
- jdbc_streaming
- json
- json_encode
- kv
- memcached
- metricize
- metrics
- mutate
- prune
- range
- ruby
- sleep
- split
- syslog_pri
- threats_classifier
- throttle
- tld
- translate
- truncate
- urldecode
- useragent
- uuid
- wurfl_device_detection
- xml
- Codec plugins
- Tips and best practices
- Troubleshooting
- Contributing to Logstash
- How to write a Logstash input plugin
- How to write a Logstash codec plugin
- How to write a Logstash filter plugin
- How to write a Logstash output plugin
- Logstash Plugins Community Maintainer Guide
- Document your plugin
- Publish your plugin to RubyGems.org
- List your plugin
- Contributing a patch to a Logstash plugin
- Extending Logstash core
- Contributing a Java Plugin
- Breaking changes
- Release Notes
- Logstash 8.17.1 Release Notes
- Logstash 8.17.0 Release Notes
- Logstash 8.16.3 Release Notes
- Logstash 8.16.2 Release Notes
- Logstash 8.16.1 Release Notes
- Logstash 8.16.0 Release Notes
- Logstash 8.15.5 Release Notes
- Logstash 8.15.4 Release Notes
- Logstash 8.15.3 Release Notes
- Logstash 8.15.2 Release Notes
- Logstash 8.15.1 Release Notes
- Logstash 8.15.0 Release Notes
- Logstash 8.14.3 Release Notes
- Logstash 8.14.2 Release Notes
- Logstash 8.14.1 Release Notes
- Logstash 8.14.0 Release Notes
- Logstash 8.13.4 Release Notes
- Logstash 8.13.3 Release Notes
- Logstash 8.13.2 Release Notes
- Logstash 8.13.1 Release Notes
- Logstash 8.13.0 Release Notes
- Logstash 8.12.2 Release Notes
- Logstash 8.12.1 Release Notes
- Logstash 8.12.0 Release Notes
- Logstash 8.11.4 Release Notes
- Logstash 8.11.3 Release Notes
- Logstash 8.11.2 Release Notes
- Logstash 8.11.1 Release Notes
- Logstash 8.11.0 Release Notes
- Logstash 8.10.4 Release Notes
- Logstash 8.10.3 Release Notes
- Logstash 8.10.2 Release Notes
- Logstash 8.10.1 Release Notes
- Logstash 8.10.0 Release Notes
- Logstash 8.9.2 Release Notes
- Logstash 8.9.1 Release Notes
- Logstash 8.9.0 Release Notes
- Logstash 8.8.2 Release Notes
- Logstash 8.8.1 Release Notes
- Logstash 8.8.0 Release Notes
- Logstash 8.7.1 Release Notes
- Logstash 8.7.0 Release Notes
- Logstash 8.6.2 Release Notes
- Logstash 8.6.1 Release Notes
- Logstash 8.6.0 Release Notes
- Logstash 8.5.3 Release Notes
- Logstash 8.5.2 Release Notes
- Logstash 8.5.1 Release Notes
- Logstash 8.5.0 Release Notes
- Logstash 8.4.2 Release Notes
- Logstash 8.4.1 Release Notes
- Logstash 8.4.0 Release Notes
- Logstash 8.3.3 Release Notes
- Logstash 8.3.2 Release Notes
- Logstash 8.3.1 Release Notes
- Logstash 8.3.0 Release Notes
- Logstash 8.2.3 Release Notes
- Logstash 8.2.2 Release Notes
- Logstash 8.2.1 Release Notes
- Logstash 8.2.0 Release Notes
- Logstash 8.1.3 Release Notes
- Logstash 8.1.2 Release Notes
- Logstash 8.1.1 Release Notes
- Logstash 8.1.0 Release Notes
- Logstash 8.0.1 Release Notes
- Logstash 8.0.0 Release Notes
- Logstash 8.0.0-rc2 Release Notes
- Logstash 8.0.0-rc1 Release Notes
- Logstash 8.0.0-beta1 Release Notes
- Logstash 8.0.0-alpha2 Release Notes
- Logstash 8.0.0-alpha1 Release Notes
Logstash output plugin
editLogstash output plugin
edit- A component of the logstash integration plugin
- Integration version: v1.0.4
- Released on: 2024-12-10
- Changelog
For other versions, see the Versioned plugin docs.
Getting help
editFor questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Description
editSend events to a Logstash input plugin in a pipeline that may be in another process or on another host. You must have a TCP route to the port (defaults to 9800) on an interface that the downstream input is bound to.
Sending events to any destination other than a logstash-input
plugin is neither advised nor supported.
We will maintain cross-compatibility with any two supported versions of output/input pair and reserve the right to change details such as protocol and encoding.
Minimum Configuration
editSSL Enabled | SSL Disabled |
---|---|
output { logstash { hosts => "10.0.0.123:9801" } } |
output { logstash { hosts => "10.0.0.123:9801" ssl_enabled => false } } |
Configuration Concepts
editConfigure this output plugin to connect to a Logstash input plugin by specifying its hosts
.
Depending on the downstream plugin’s configuration, you may need to also configure the target port, SSL, and/or credentials.
Security: SSL Trust
editWhen communicating over SSL, this plugin establishes trust of the server it connects to before transmitting credentials or events.
It does so by ensuring that the responding server presents a currently-valid certificate with identity claims matching host it is connecting to, signed by a trusted signing authority, along with proof-of-possession of the associated private key material.
The system trust store is used by default. You can provide an alternate source of trust with ONE OF:
-
A PEM-formatted list of trusted certificate authorities (see
ssl_certificate_authorities
) -
A PKCS12- or JKS-formatted truststore (see
ssl_truststore_path
)
Security: SSL Identity
editIf the downstream input plugin is configured to request or require client authentication, you can configure this plugin to provide its proof-of-identity with ONE OF:
-
JKS- or PKCS12-formatted Keystore (see
ssl_keystore_path
) -
PKCS8-formatted Certificate/Key pair (see
ssl_certificate
)
Logstash Output Configuration Options
editThis plugin supports the following configuration options plus the Common options described later.
Setting | Input type | Required |
---|---|---|
list of string |
Yes |
|
No |
||
No |
||
No |
||
list of path |
No |
|
No |
||
No |
||
No |
||
No |
||
No |
||
string, one of |
No |
|
No |
Also see Common options for a list of options supported by all output plugins.
hosts
edit- Value type is list of string
- There is no default value for this setting.
-
Constraints:
- When using IPv6, IP address must be in an enclosed in brackets.
-
When a port is not provided, the default
9800
is used.
The addresses of one or more downstream `input`s to connect to.
Host can be any of IPv4, IPv6 (in enclosed bracket) or host name, examples:
-
"127.0.0.1"
-
"127.0.0.1:9801"
-
"ds.example.com"
-
"ds.example.com:9802"
-
"[::1]"
-
"[::1]:9803"
-
"[2001:0db8:85a3:0000:0000:8a2e:0370:7334]"
-
"[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:9804"
Plugin balances incoming load among the hosts
. For more information, visit Logstash integration plugin Load Balancing section.
When connecting, communication to downstream input Logstash is secured with SSL unless configured otherwise.
Disabling SSL is dangerous
The security of this plugin relies on SSL to avoid leaking credentials and to avoid running illegitimate ingest pipeline definitions.
when using SSL, the server that responds must present a certificated with identity claim matching this host name or ip address.
password
editPassword for password-based authentication.
When the downstream input plugin is configured with a username
and password
, you must also configure upstream outputs with a matching username
/password
pair.
ssl_enabled
edit- Value type is boolean
-
Default value is
true
Logstash-to-Logstash communication is secured by default. When the downstream input plugin disables SSL, it must also be disabled here.
You can disable SSL with +ssl_enabled => false+
. When disabled, setting any ssl_*
configuration causes configuration failure.
ssl_certificate
editPath to a PEM-encoded certificate or certificate chain with which to identify this plugin to connecting downstream input.
ssl_certificate_authorities
edit- Value type is a path
- There is no default value for this setting.
- Cannot be combined with configurations that disable SSL.
-
Cannot be combined with
+ssl_verification_mode => none+
.
One or more PEM-encoded files defining certificate authorities for use in downstream input authentication. This setting can be used to override the system trust store for verifying the SSL certificate presented by downstream input.
ssl_key
edit- Value type is path
- There is no default value for this setting.
-
Required when connection identity is configured with
ssl_certificate
- Cannot be combined with configurations that disable SSL.
A path to an PEM-encoded unencrypted PKCS8 SSL certificate key.
ssl_keystore_path
edit- Value type is path
- There is no default value for this setting.
-
When present,
ssl_keystore_password
is also required. - Cannot be combined with configurations that disable SSL.
A path to a JKS- or PKCS12-formatted keystore with which to identify this plugin to the downstream input. The provided identity will be used if the downstream input enables SSL client authentication.
ssl_keystore_password
edit- Value type is password
- There is no default value for this setting.
-
Required when connection identity is configured with
ssl_keystore_path
- Cannot be combined with configurations that disable SSL.
Password for the ssl_keystore_path
ssl_truststore_path
edit- Value type is path
- There is no default value for this setting.
-
When present,
ssl_truststore_path
is also required. - Cannot be combined with configurations that disable SSL.
-
Cannot be combined with
+ssl_verification_mode => none+
.
A path to a JKS- or PKCS12-formatted truststore with which to validate the identity claims of the downstream input. The provided identity will be used if the downstream input enables SSL client authentication.
ssl_truststore_password
edit- Value type is password
- There is no default value for this setting.
-
Required when connection identity is configured with
ssl_truststore_path
- Cannot be combined with configurations that disable SSL.
Password for the ssl_truststore_path
ssl_verification_mode
edit- Value type is string
-
The supported modes are:
-
full
: verifies that a certificate provided by the client has an identity claim matchinghosts
, is signed by a trusted authority (CA), is within its valid date range, and that the client has possession of the associated key. -
none
: performs no validation of the presented certificate
-
-
The default value is
full
. - Cannot be combined with configurations that disable SSL.
When communicating over SSL, this setting controls how the downstream input’s certificate is verified.
username
editUsername for password-based authentication.
When the downstream input plugin is configured with a username
and password
, you must also configure upstream outputs with a matching username
/password
pair.
when SSL is disabled, credentials will be transmitted in clear-text.
Common options
editThese configuration options are supported by all output plugins:
Setting | Input type | Required |
---|---|---|
No |
||
No |
enable_metric
edit- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
id
edit- Value type is string
- There is no default value for this setting.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type. For example, if you have 2 logstash outputs.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
output { logstash { id => "my_plugin_id" } }
Variable substitution in the id
field only supports environment variables
and does not support the use of values from the secret store.
On this page
- Getting help
- Description
- Minimum Configuration
- Configuration Concepts
- Security: SSL Trust
- Security: SSL Identity
- Security: Credentials
- Logstash Output Configuration Options
hosts
password
ssl_enabled
ssl_certificate
ssl_certificate_authorities
ssl_key
ssl_keystore_path
ssl_keystore_password
ssl_truststore_path
ssl_truststore_password
ssl_verification_mode
username
- Common options
enable_metric
id
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now