Shipping with Logstash

• Overview
• Encrypted shipping
• Unencrypted shipping

Logstash is a server app that ingests and parses log data. We recommend using it for shipping to Logz.io only when you have an existing Logstash configuration.

For most other cases, we recommend using Filebeat.

These instructions apply to Logstash running on MacOS, Linux and Windows.

Shipping with Logstash over TCP - Encrypted

Before you begin, you’ll need: JDK, Logstash

Download the Logz.io public certificate to your Logstash server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

• For MacOS and Linux:

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /usr/share/logstash/keys/AAACertificateServices.crt

• For Windows:

Download the Logz.io public certificate to C:\ProgramData\ElkStack\logstash-<<YOUR-LOGSTASH-VERSION-NUMBER>>\AAACertificateServices.crt on your machine.

Add Logz.io to your configuration file

Add these code blocks to the end of your existing Logstash configuration file.

Make sure the mutate block is the last item in the filters block.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

• For MacOS and Linux:

filter {
  # ...
  # ...
  mutate {
    add_field => { "token" => "<<LOG-SHIPPING-TOKEN>>" }
  }
}

output {
  lumberjack {
    hosts => ["<<LISTENER-HOST>>"]
    port => 5006
    ssl_certificate => "/usr/share/logstash/keys/AAACertificateServices.crt"
    codec => "json_lines"
  }
}

• For Windows:

filter {
  # ...
  # ...
  mutate {
    add_field => { "token" => "<<LOG-SHIPPING-TOKEN>>" }
  }
}

output {
  lumberjack {
    hosts => ["<<LISTENER-HOST>>"]
    port => 5006
    ssl_certificate => "/C:\ProgramData\ElkStack\logstash-<<YOUR-LOGSTASH-VERSION-NUMBER>>\AAACertificateServices.crt"
    codec => "json_lines"
  }
}

Start Logstash

Start or restart Logstash for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don’t see your logs, see log shipping troubleshooting.

Ship with Logstash over TCP - Unencrypted

Before you begin, you’ll need: JDK, Logstash

Add Logz.io to your configuration file

Add these code blocks to the end of your existing Logstash configuration file.

Make sure the mutate block is the last item in the filters block.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

filter {
  # ...
  # ...
  mutate {
    add_field => { "token" => "<<LOG-SHIPPING-TOKEN>>" }
  }
}

output {
  tcp {
    host => "<<LISTENER-HOST>>"
    port => 5050
    codec => json_lines
  }
}

Start Logstash

Start or restart Logstash for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don’t see your logs, see log shipping troubleshooting.