For other versions, see theVersioned plugin docs.
For plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-output-gelf
. See Working with plugins for more details.
For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github.For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
This output generates messages in GELF format. This is most useful if youwant to use Logstash to output events to Graylog2.
More information at The Graylog2 GELF specs page
This plugin supports the following configuration options plus the Common Options described later.
Setting | Input type | Required |
---|---|---|
No |
||
No |
||
No |
||
Yes |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
Also see Common Options for a list of options supported by alloutput plugins.
1420
The chunksize. You usually don’t need to change this.
{}
The GELF custom field mappings. GELF supports arbitrary attributes as customfields. This exposes that. Exclude the _
portion of the field namee.g. custom_fields => ['foo_field', 'some_value']
sets _foo_field
= some_value
.
"%{message}"
The GELF full message. Dynamic values like %{foo}
are permitted here.
Graylog2 server IP address or hostname.
["@timestamp", "@version", "severity", "host", "source_host", "source_path", "short_message"]
Ignore these fields when ship_metadata
is set. Typically this lists thefields used in dynamic values for GELF fields.
["%{severity}", "INFO"]
The GELF message level. Dynamic values like %{level}
are permitted here;useful if you want to parse the log level from an event and use thatas the GELF level/severity.
Values here can be integers [0..7] inclusive or any of"debug", "info", "warn", "error", "fatal" (case insensitive).Single-character versions of these are also valid, "d", "i", "w", "e", "f","u"The following additional severity\_labels from Logstash’s syslog\_pri filterare accepted: "emergency", "alert", "critical", "warning", "notice", and"informational".
By default, this plugin outputs via the UDP transfer protocol, but can beconfigured to use TCP instead.
"UDP"
Values here can be either "TCP" or "UDP".
"%{host}"
Allow overriding of the GELF sender
field. This is useful if youwant to use something other than the event’s source host as the"sender" of an event. A common case for this is using the application nameinstead of the hostname.
true
Should Logstash ship metadata within event object? This will cause Logstashto ship any fields in the event (such as those created by grok) in the GELFmessages. These will be sent as underscored "additional fields".
true
Ship tags within events. This will cause Logstash to ship the tags of anevent as the field \_tags
.
"short_message"
The GELF short message field name. If the field does not exist or is empty,the event message is taken instead.
The following configuration options are supported by all output plugins:
"plain"
The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output without needing a separate filter in your Logstash pipeline.
true
Disable or enable metric logging for this specific plugin instance.By default we record all the metrics we can, but you can disable metrics collectionfor a specific plugin.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.It is strongly recommended to set this ID in your configuration. This is particularly usefulwhen you have two or more plugins of the same type. For example, if you have 2 gelf outputs.Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
output { gelf { id => "my_plugin_id" }}