A Logstash config file has a separate section for each type of plugin you want to add to the event processing pipeline. For example:
# This is a comment. You should use comments to describe# parts of your configuration.input { ...}filter { ...}output { ...}
Each section contains the configuration options for one or more plugins. If you specifymultiple filters, they are applied in the order of their appearance in the configuration file.
The configuration of a plugin consists of the plugin name followedby a block of settings for that plugin. For example, this input section configures two file inputs:
input { file { path => "/var/log/messages" type => "syslog" } file { path => "/var/log/apache/access.log" type => "apache" }}
In this example, two settings are configured for each of the file inputs: path and type.
The settings you can configure vary according to the plugin type. For information about each plugin, see Input Plugins, Output Plugins, Filter Plugins, and Codec Plugins.
A plugin can require that the value for a setting be acertain type, such as boolean, list, or hash. The following valuetypes are supported.
This type is now mostly deprecated in favor of using a standard type like string
with the plugin defining the :list => true
property for better type checking. It is still needed to handle lists of hashes or mixed types where type checking is not desired.
Example:
users => [ {id => 1, name => bob}, {id => 2, name => jane} ]
Not a type in and of itself, but a property types can have.This makes it possible to type check multiple values.Plugin authors can enable list checking by specifying :list => true
when declaring an argument.
Example:
path => [ "/var/log/messages", "/var/log/*.log" ] uris => [ "http://elastic.co", "http://example.net" ]
This example configures path
, which is a string
to be a list that contains an element for each of the three strings. It also will configure the uris
parameter to be a list of URIs, failing if any of the URIs provided are not valid.
A boolean must be either true
or false
. Note that the true
and false
keywordsare not enclosed in quotes.
Example:
ssl_enable => true
A bytes field is a string field that represents a valid unit of bytes. It is aconvenient way to declare specific sizes in your plugin options. Both SI (k M G T P E Z Y)and Binary (Ki Mi Gi Ti Pi Ei Zi Yi) units are supported. Binary units are inbase-1024 and SI units are in base-1000. This field is case-insensitiveand accepts space between the value and the unit. If no unit is specified, the integer stringrepresents the number of bytes.
Examples:
my_bytes => "1113" # 1113 bytes my_bytes => "10MiB" # 10485760 bytes my_bytes => "100kib" # 102400 bytes my_bytes => "180 mb" # 180000000 bytes
A codec is the name of Logstash codec used to represent the data. Codecs can beused in both inputs and outputs.
Input codecs provide a convenient way to decode your data before it enters the input.Output codecs provide a convenient way to encode your data before it leaves the output.Using an input or output codec eliminates the need for a separate filter in your Logstash pipeline.
A list of available codecs can be found at the Codec Plugins page.
Example:
codec => "json"
A hash is a collection of key value pairs specified in the format "field1" => "value1"
.Note that multiple key value entries are separated by spaces rather than commas.
Example:
match => { "field1" => "value1" "field2" => "value2" ...}# or as a single line. No commas between entries:match => { "field1" => "value1" "field2" => "value2" }
Numbers must be valid numeric values (floating point or integer).
Example:
port => 33
A password is a string with a single value that is not logged or printed.
Example:
my_password => "password"
A URI can be anything from a full URL like http://elastic.co/ to a simple identifierlike foobar. If the URI contains a password such as http://user:pass@example.net the passwordportion of the URI will not be logged or printed.
Example:
my_uri => "http://foo:bar@example.net"
A path is a string that represents a valid operating system path.
Example:
my_path => "/tmp/logstash"
A string must be a single character sequence. Note that string values areenclosed in quotes, either double or single.
By default, escape sequences are not enabled. If you wish to use escapesequences in quoted strings, you will need to setconfig.support_escapes: true
in your logstash.yml
. When true
, quotedstrings (double and single) will have this transformation:
Text |
Result |
\r |
carriage return (ASCII 13) |
\n |
new line (ASCII 10) |
\t |
tab (ASCII 9) |
\\ |
backslash (ASCII 92) |
\" |
double quote (ASCII 34) |
\' |
single quote (ASCII 39) |
Example:
name => "Hello world" name => 'It\'s a beautiful day'
Comments are the same as in perl, ruby, and python. A comment starts with a # character, and does not need to be at the beginning of a line. For example:
# this is a commentinput { # comments can appear at the end of a line, too # ...}