Multiple instances of Logstash can be deployed in addition to Elasticsearch, providing a pipeline for ingesting data into Elasticsearch. The version of Logstash deployed is always the same as the version of Elasticsearch, ensuring compatibility between products.

The following parameters can be used to deploy Logstash, and control additional configuration

Whether to deploy Logstash in addition to Elasticsearch. A value of Yes will also deploy Logstash, whilst No will not. Defaults to No.
The Azure VM SKU to use for Logstash. Different VM SKUs have different CPU, RAM, temporary storage space and network bandwidth. The Logstash VM always uses standard storage for the OS disk. The default value is Standard_DS1_v2.
The number of Logstash VMs to deploy. Defaults to 1.
Whether to enable accelerated networking for Logstash, which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. Valid values are Default, Yes, No. The default is Default, which enables accelerated networking for the VM SKUs known to support it.
The amount of memory, in megabytes, to allocate to Logstash for the JVM heap. Default will allocate whatever the default is within jvm.options for the version of Logstash deployed.

A Base-64 encoded string form of Logstash configuration file with which to start Logstash. A number of parameters are configured that can be referenced from the configuration file


the Elasticsearch endpoint


password of the built-in logstash_system user


the path to the CA cert used to secure the Elasticsearch HTTP layer. Only set when Transport Layer Security is configured for the Elasticsearch HTTP layer

TLS with Logstash monitoring

When Transport Layer Security is configured for the Elasticsearch HTTP layer, Logstash is configured to perform verification against the certificate presented, using the CA certificate used to secure the Elasticsearch HTTP layer.

Logstash communicates with Elasticsearch through the IP address of the internal load balancer, which means that a certificate provided with esHttpCertBlob is unlikely to pass hostname verification. For this reason, xpack.monitoring.elasticsearch.ssl.verification_mode is set to none.

When a CA certificate is provided with esHttpCaCertBlob, the generated certificates used to secure the Elasticsearch HTTP layer include the internal load balancer IP address, meaning monitoring can be enabled for all versions where Transport Layer Security is configured for the Elasticsearch HTTP layer.


Security password for Logstash keystore.

If no value is supplied, a password will be generated using the ARM template uniqueString() function.


Additional Logstash plugins to install. Each plugin must be separated by a semicolon. For example


Additional configuration that will be applied to the logstash.yml configuration file before start up. Each line must be separated by a \n newline character, for example

"pipeline.batch.size: 125\npipeline.batch.delay: 50"

It is recommended that you run your additional yaml through a linter before starting a deployment, as incorrectly formatted yaml will fail the deployment.

Logstash only accessible within the Virtual Network and communicates with Elasticsearch through the internal load balancer