Get Startededit

Step 1: Configure application loggingedit

If you want to integrate with an existing logger emitting ECS json to a file or stdout/stderr.

Choose one of our formatters:

If you want to write the logs directly to one of Elastic’s endpoints (e.g Elastic Cloud / Elasticsearch)

Choose one of our data shipping loggers:

Step 2: Enable APM log correlation (optional)edit

If you are using the Elastic APM .NET agent, log correlation can be configured to inject trace, transaction and span id fields into log events.

By default the ECS logging integrations will read tracing information from System.Diagnostics.Activity if the APM logging corrolation libraries are not installed.

Step 3: Configure Filebeat (optional)edit

If you are using one of our log formatters you can use the following methods to ship these logs to Elastic.

  1. Follow the Filebeat quick start
  2. Add the following configuration to your filebeat.yaml file.

For Filebeat 7.16+

filebeat.yaml.

filebeat.inputs:
- type: filestream 
  paths: /path/to/logs.json
  parsers:
    - ndjson:
      overwrite_keys: true 
      add_error_key: true 
      expand_keys: true 

processors: 
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

Use the filestream input to read lines from active log files.

Values from the decoded JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) in case of conflicts.

Filebeat adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.

Filebeat will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.

Processors enhance your data. See processors to learn more.

For Filebeat < 7.16

filebeat.yaml.

filebeat.inputs:
- type: log
  paths: /path/to/logs.json
  json.keys_under_root: true
  json.overwrite_keys: true
  json.add_error_key: true
  json.expand_keys: true

processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~

For more information, see the Filebeat reference.