Gelf output plugin

edit
  • Plugin version: v3.1.7
  • Released on: 2018-04-06
  • Changelog

For other versions, see the Versioned plugin docs.

Installation

edit

For plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-output-gelf. See Working with plugins for more details.

Getting help

edit

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

edit

This output generates messages in GELF format. This is most useful if you want to use Logstash to output events to Graylog2.

More information at The Graylog2 GELF specs page

Gelf Output Configuration Options

edit

This plugin supports the following configuration options plus the Common options described later.

Also see Common options for a list of options supported by all output plugins.

 

chunksize

edit
  • Value type is number
  • Default value is 1420

The chunksize. You usually don’t need to change this.

custom_fields

edit
  • Value type is hash
  • Default value is {}

The GELF custom field mappings. GELF supports arbitrary attributes as custom fields. This exposes that. Exclude the _ portion of the field name e.g. custom_fields => ['foo_field', 'some_value'] sets _foo_field = some_value.

full_message

edit
  • Value type is string
  • Default value is "%{message}"

The GELF full message. Dynamic values like %{foo} are permitted here.

host

edit
  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

Graylog2 server IP address or hostname.

ignore_metadata

edit
  • Value type is array
  • Default value is ["@timestamp", "@version", "severity", "host", "source_host", "source_path", "short_message"]

Ignore these fields when ship_metadata is set. Typically this lists the fields used in dynamic values for GELF fields.

level

edit
  • Value type is array
  • Default value is ["%{severity}", "INFO"]

The GELF message level. Dynamic values like %{level} are permitted here; useful if you want to parse the log level from an event and use that as the GELF level/severity.

Values here can be integers [0..7] inclusive or any of "debug", "info", "warn", "error", "fatal" (case insensitive). Single-character versions of these are also valid, "d", "i", "w", "e", "f", "u" The following additional severity\_labels from Logstash’s syslog\_pri filter are accepted: "emergency", "alert", "critical", "warning", "notice", and "informational".

port

edit
  • Value type is number
  • Default value is 12201

Graylog2 server port number.

protocol

edit

By default, this plugin outputs via the UDP transfer protocol, but can be configured to use TCP instead.

  • Value type is string
  • Default value is "UDP"

Values here can be either "TCP" or "UDP".

sender

edit
  • Value type is string
  • Default value is "%{host}"

Allow overriding of the GELF sender field. This is useful if you want to use something other than the event’s source host as the "sender" of an event. A common case for this is using the application name instead of the hostname.

ship_metadata

edit
  • Value type is boolean
  • Default value is true

Should Logstash ship metadata within event object? This will cause Logstash to ship any fields in the event (such as those created by grok) in the GELF messages. These will be sent as underscored "additional fields".

ship_tags

edit
  • Value type is boolean
  • Default value is true

Ship tags within events. This will cause Logstash to ship the tags of an event as the field \_tags.

short_message

edit
  • Value type is string
  • Default value is "short_message"

The GELF short message field name. If the field does not exist or is empty, the event message is taken instead.

Common options

edit

These configuration options are supported by all output plugins:

Setting Input type Required

codec

codec

No

enable_metric

boolean

No

id

string

No

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output without needing a separate filter in your Logstash pipeline.

enable_metric

edit
  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type. For example, if you have 2 gelf outputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

output {
  gelf {
    id => "my_plugin_id"
  }
}

Variable substitution in the id field only supports environment variables and does not support the use of values from the secret store.