A single instance of Logstash can be deployed in addition to Elasticsearch, providing a pipeline for ingesting data into Elasticsearch. The version of Logstash deployed is always the same as the version of Elasticsearch, ensuring compatibility between products.
The following parameters can be used to deploy Logstash, and control additional configuration
- Whether to deploy Logstash in addition to Elasticsearch. A value of
Yeswill also deploy Logstash, whilst
Nowill not. Defaults to
- The Azure VM SKU to use for Logstash. Different VM SKUs have different CPU, RAM,
temporary storage space and network bandwidth. The Logstash VM always uses standard storage for the OS disk. The default value is
The template deploys only a single instance of Logstash. You should ensure that a VM SKU of sufficient size is chosen to be able to handle the expected amount of traffic. A larger VM SKU will generally be faster and have better bandwidth than a smaller VM SKU.
- Whether to enable accelerated networking for Logstash,
which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its
networking performance. Valid values are
No. The default is
Default, which enables accelerated networking for the VM SKUs known to support it.
- The amount of memory, in megabytes, to allocate to Logstash for the JVM heap. Default will allocate whatever the default is within jvm.options for the version of Logstash deployed.
A Base-64 encoded string form of Logstash configuration file with which to start Logstash. A number of parameters are configured that can be referenced from the configuration file
the Elasticsearch endpoint
password of the built-in
the path to the CA cert used to secure the Elasticsearch HTTP layer. Only set when Transport Layer Security is configured for the Elasticsearch HTTP layer
TLS with Logstash monitoring
When Transport Layer Security is configured for the Elasticsearch HTTP layer, Logstash is configured to perform verification against the certificate presented, using the CA certificate used to secure the Elasticsearch HTTP layer.
Logstash communicates with Elasticsearch through the IP address of the internal load balancer, which means
that a certificate provided with
esHttpCertBlob is unlikely to pass hostname
verification. In Logstash 6.4.0+,
xpack.monitoring.elasticsearch.ssl.verification_mode is set to
For prior versions of Logstash, monitoring is not enabled when a certificate has been provided with
When a CA certificate is provided with
esHttpCaCertBlob, the generated certificates used to
secure the Elasticsearch HTTP layer include the internal load balancer IP address, meaning
monitoring can be enabled for all versions where Transport Layer Security is configured
for the Elasticsearch HTTP layer.
Security password for Logstash keystore, used to store values in Logstash 6.2.0 onwards.
If no value is supplied, a password will be generated using the ARM template
Additional Logstash plugins to install. Each plugin must be separated by a semicolon. For example
Additional configuration that will be applied to the logstash.yml configuration file before start up. Each line must be separated by a
\nnewline character, for example
"pipeline.batch.size: 125\npipeline.batch.delay: 50"
It is recommended that you run your additional yaml through a linter before starting a deployment, as incorrectly formatted yaml will fail the deployment.
Logstash only accessible within the Virtual Network and communicates with Elasticsearch through the internal load balancer