Elastic Docs Elasticsearch Service Documentation Adding data to Elasticsearch Configure Beats and Logstash with Cloud ID
« Configure Beats (without Cloud ID) Best practices for managing your data »

Configure Logstash (without Cloud ID)edit

These instructions apply to versions of Logstash before 6.0 or if you are not using a Logstash module. If you are using Logstash version 6.0 or later and are using a module, try your Cloud ID that makes configuring Logstash quick and simple. To learn more, check Configure Beats and Logstash with Cloud ID.

A popular use case for the Elastic Stack is to store and analyze logs. If you have Logstash installed, either in your own cloud provider environment or on a local machine, you can configure it to send log events to your Elasticsearch cluster on Elasticsearch Service.

To send logs to Elasticsearch, you use the elasticsearch-output plugin. Specify the following options in the configuration file:

  1. Point Logstash to an cluster in Elasticsearch Service with the hosts parameter. Logstash versions before 2.x might also require that you specify values for protocol and port.
  2. Include credentials for user and password, if required. For Elasticsearch version 5.0 and later, X-Pack security features are always enabled in Elasticsearch Service and you must include user credentials to be able to connect to your cluster.
  3. Logstash versions before 2.x might require that you set ssl to be true. We recommend you always use SSL.
  4. Specify any additional options that you want to include, such as the index to use and the document type.

To make it easier for you to get started, we have included a couple of examples for you. The parameters for Logstash configuration files changed between versions, so make sure that you adapt the example that applies to your version of Logstash.

Logstash and the Elasticsearch cluster receiving the logs do not have to be of the same version, but not all versions are compatible with each other. To learn more about supported Logstash versions, check Support Matrix.

For production systems, these examples need to be modified further. The examples are meant to help you get started quickly, but they specify users created by X-Pack or Shield that should not be used for production systems, because they have too many permissions. If you plan to put Logstash into production, create a dedicated user that has only the minimum required permissions.

Example: Sending logs to Elasticsearch (Logstash version 2.0 and later)edit

To send logs to the myindex index with the document type mylogs, specify output options similar to the following in your configuration file:

output {
  elasticsearch {
    hosts => "https://6f881bxxxxxxxxxxxxxxxxxxx.us-east-1.aws.found.io:9243"
    user => "elastic"
    password => "xxxxxxxxxxxxxxxxxxx"
    index => "myindex"
    document_type => "mylogs"
        }
}

To learn more about configuration options, check Configuring Logstash.

Example: Sending logs to Elasticsearch (Logstash versions before 2.0)edit

To send logs to the myindex index with the document type mylogs, specify output options similar to the following in your configuration file:

output {
  elasticsearch {
    hosts => "1923a7xxxxxxxxxxxxxxxxxxx.eu-west-1.aws.found.io"
    user => "admin"
    password => "xxxxxxxxxxxxxxxxxxx"
    protocol => http
    ssl => true
    port => "9243"
    index => "myindex"
    document_type => "mylogs"
  }
}

To learn more about configuration options, check Configuring Logstash.

« Configure Beats (without Cloud ID) Best practices for managing your data »