Logstashedit

Multiple instances of Logstash can be deployed in addition to Elasticsearch, providing a pipeline for ingesting data into Elasticsearch. The version of Logstash deployed is always the same as the version of Elasticsearch, ensuring compatibility between products.

The following parameters can be used to deploy Logstash, and control additional configuration

logstash
Whether to deploy Logstash in addition to Elasticsearch. A value of Yes will also deploy Logstash, whilst No will not. Defaults to No.
vmSizeLogstash
The Azure VM SKU to use for Logstash. Different VM SKUs have different CPU, RAM, temporary storage space and network bandwidth. The Logstash VM always uses standard storage for the OS disk. The default value is Standard_D1.
vmLogstashCount
The number of Logstash VMs to deploy. Defaults to 1.
vmLogstashAcceleratedNetworking
Whether to enable accelerated networking for Logstash, which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. Valid values are Default, Yes, No. The default is Default, which enables accelerated networking for the VM SKUs known to support it.
logstashHeapSize
The amount of memory, in megabytes, to allocate to Logstash for the JVM heap. Default will allocate whatever the default is within jvm.options for the version of Logstash deployed.
logstashConf

A Base-64 encoded string form of Logstash configuration file with which to start Logstash. A number of parameters are configured that can be referenced from the configuration file

${ELASTICSEARCH_URL}

the Elasticsearch endpoint

${LOGSTASH_SYSTEM_PASSWORD}

password of the built-in logstash_system user

${ELASTICSEARCH_CACERT}

the path to the CA cert used to secure the Elasticsearch HTTP layer. Only set when Transport Layer Security is configured for the Elasticsearch HTTP layer

TLS with Logstash monitoring

When Transport Layer Security is configured for the Elasticsearch HTTP layer, Logstash is configured to perform verification against the certificate presented, using the CA certificate used to secure the Elasticsearch HTTP layer.

Logstash communicates with Elasticsearch through the IP address of the internal load balancer, which means that a certificate provided with esHttpCertBlob is unlikely to pass hostname verification. In Logstash 6.4.0+, xpack.monitoring.elasticsearch.ssl.verification_mode is set to none. For prior versions of Logstash, monitoring is not enabled when a certificate has been provided with esHttpCertBlob.

When a CA certificate is provided with esHttpCaCertBlob, the generated certificates used to secure the Elasticsearch HTTP layer include the internal load balancer IP address, meaning monitoring can be enabled for all versions where Transport Layer Security is configured for the Elasticsearch HTTP layer.

logstashKeystorePassword

Security password for Logstash keystore, used to store values in Logstash 6.2.0 onwards.

If no value is supplied, a password will be generated using the ARM template uniqueString() function.

logstashAdditionalPlugins

Additional Logstash plugins to install. Each plugin must be separated by a semicolon. For example

logstash-input-azure_event_hubs;logstash-input-http_poller
logstashAdditionalYaml

Additional configuration that will be applied to the logstash.yml configuration file before start up. Each line must be separated by a \n newline character, for example

"pipeline.batch.size: 125\npipeline.batch.delay: 50"

It is recommended that you run your additional yaml through a linter before starting a deployment, as incorrectly formatted yaml will fail the deployment.

Logstash only accessible within the Virtual Network and communicates with Elasticsearch through the internal load balancer