Logstashedit

A single instance of Logstash can be deployed in addition to Elasticsearch, providing a pipeline for ingesting data into Elasticsearch. The version of Logstash deployed is always the same as the version of Elasticsearch, ensuring compatibility between products.

The following parameters can be used to deploy Logstash, and control additional configuration

logstash
Whether to deploy Logstash in addition to Elasticsearch. A value of Yes will also deploy Logstash, whilst No will not. Defaults to No.
vmSizeLogstash
The Azure VM SKU to use for Logstash. Different VM SKUs have different CPU, RAM, temporary storage space and network bandwidth. The Logstash VM always uses standard storage for the OS disk. The default value is Standard_D1.
Note

The template deploys only a single instance of Logstash. You should ensure that a VM SKU of sufficient size is chosen to be able to handle the expected amount of traffic. A larger VM SKU will generally be faster and have better bandwidth than a smaller VM SKU.

logstashHeapSize
The amount of memory, in megabytes, to allocate to Logstash for the JVM heap. Default will allocate whatever the default is within jvm.options for the version of Logstash deployed.
logstashConf

A Base-64 encoded string form of Logstash configuration file with which to start Logstash. A number of parameters are configured that can be referenced from the configuration file

${ELASTICSEARCH_URL}

the Elasticsearch endpoint

${LOGSTASH_SYSTEM_PASSWORD}

password of the built-in logstash_system user

${ELASTICSEARCH_CACERT}

the path to the CA cert used to secure the Elasticsearch HTTP layer. Only set when Transport Layer Security is configured for the Elasticsearch HTTP layer

Important

TLS with Logstash monitoring

When Transport Layer Security is configured for the Elasticsearch HTTP layer, Logstash is configured to perform verification against the certificate presented, using the CA certificate used to secure the Elasticsearch HTTP layer.

Logstash communicates with Elasticsearch through the IP address of the internal load balancer, which means that a certificate provided with esHttpCertBlob is unlikely to pass hostname verification. In Logstash 6.4.0+, xpack.monitoring.elasticsearch.ssl.verification_mode is set to none. For prior versions of Logstash, monitoring is not enabled when a certificate has been provided with esHttpCertBlob.

When a CA certificate is provided with esHttpCaCertBlob, the generated certificates used to secure the Elasticsearch HTTP layer include the internal load balancer IP address, meaning monitoring can be enabled for all versions where Transport Layer Security is configured for the Elasticsearch HTTP layer.

logstashKeystorePassword

Security password for Logstash keystore, used to store values in Logstash 6.2.0 onwards.

If no value is supplied, a password will be generated using the ARM template uniqueString() function.

logstashAdditionalPlugins

Additional Logstash plugins to install. Each plugin must be separated by a semicolon. For example

logstash-input-azure_event_hubs;logstash-input-http_poller
logstashAdditionalYaml

Additional configuration that will be applied to the logstash.yml configuration file before start up. Each line must be separated by a \n newline character, for example

"pipeline.batch.size: 125\npipeline.batch.delay: 50"

It is recommended that you run your additional yaml through a linter before starting a deployment, as incorrectly formatted yaml will fail the deployment.

Logstash only accessible within the Virtual Network and communicates with Elasticsearch through the internal load balancer