Logstash is a server app that ingests and parses log data. We recommend using it for shipping to Logz.io only when you have an existing Logstash configuration.

For most other cases, we recommend using Filebeat.

SSL shipping with Logstash

Configuration

You’ll need: JDK, Logstash

  1. Download the Logz.io certificate

    For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

    sudo wget https://raw.githubusercontent.com/logzio/public-certificates/master/COMODORSADomainValidationSecureServerCA.crt -P /etc/pki/tls/certs/
    
  2. (If needed) Install the Lumberjack output plugin

    The Lumberjack output plugin is required for SSL shipping. For most Logstash versions, the plugin is included by default.

    To see if Lumberjack output plugin is installed, cd to your Logstash bin directory and run this command:

    ./logstash-plugin list | grep logstash-output-lumberjack
    

    If you see logstash-output-lumberjack, skip to step 3.

    Otherwise, you’ll need to install the plugin.

    ./logstash-plugin install logstash-output-lumberjack
    
  3. Add Logz.io to your configuration file

    Add these code blocks to the end of your existing Logstash configuration file.

    Make sure the mutate block is the last item in the filters block.

    filter {
      # ...
      # ...
      mutate {
        add_field => { "token" => "<<SHIPPING-TOKEN>>" }
      }
    }
    
    output {
      lumberjack {
        hosts => ["<<LISTENER-HOST>>"]
        port => 5006
        ssl_certificate => "/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt"
        codec => "json_lines"
      }
    }
    
  4. Start Logstash

    Start or restart Logstash for the changes to take effect.

  5. Check Logz.io for your logs

    Give your logs some time to get from your system to ours, and then open Kibana.

    If you still don’t see your logs, see log shipping troubleshooting.

TCP shipping with Logstash

Configuration

You’ll need: JDK, Logstash

  1. Add Logz.io to your configuration file

    Add these code blocks to the end of your existing Logstash configuration file.

    Make sure the mutate block is the last item in the filters block.

    filters {
      # ...
      # ...
      mutate {
        add_field => { "token" => "<<SHIPPING-TOKEN>>" }
      }
    }
    
    output {
      tcp {
        host => "listener.logz.io"
        port => 5050
        codec => json_lines
      }
    }
    
  2. Start Logstash

    Start or restart Logstash for the changes to take effect.

  3. Check Logz.io for your logs

    Give your logs some time to get from your system to ours, and then open Kibana.

    If you still don’t see your logs, see log shipping troubleshooting.