macOS Gatekeeper warnings
Apple’s rollout of stricter notarization requirements affected the notarization
of the 8.7.1 Logstash artifacts. If macOS Catalina displays a dialog when you
first run Logstash, you need to take an action to allow it to run.
To prevent Gatekeeper checks on the Logstash files, run the following command on the
.tar.gz archive or the directory to which was extracted:
xattr -d -r com.apple.quarantine <archive-or-directory>
For example, if the
.tar.gz file was extracted to the default
logstash-8.7.1 directory, the command is:
xattr -d -r com.apple.quarantine logstash-8.7.1
Alternatively, you can add a security override if a Gatekeeper popup appears by following the instructions in the How to open an app that hasn’t been notarized or is from an unidentified developer section of Safely open apps on your Mac.
Logstash has a rich collection of input, filter, codec, and output plugins. Check out the Elastic Support Matrix to see which plugins are supported at various levels.
Plugins are available in self-contained packages called gems and hosted on
RubyGems.org. Use the plugin manager
bin/logstash-plugin--to manage plugins:
No internet connection?edit
If you don’t have an internet connection, check out Offline Plugin Management for information on building, installing, and updating offline plugin packs.
Most plugin manager commands require access to the internet to reach RubyGems.org. If your organization is behind a firewall, you can set these environments variables to configure Logstash to use your proxy.
export http_proxy=http://localhost:3128 export https_proxy=http://localhost:3128
Logstash release packages bundle common plugins. To list the plugins currently available in your deployment:
bin/logstash-plugin list bin/logstash-plugin list --verbose bin/logstash-plugin list '*namefragment*' bin/logstash-plugin list --group output
Lists all installed plugins
Lists installed plugins with version information
Lists all installed plugins containing a namefragment
Lists all installed plugins for a particular group (input, filter, codec, output)
Adding plugins to your deploymentedit
When you have access to internet, you can retrieve plugins hosted on the RubyGems.orgpublic repository and install them on top of your Logstash installation.
bin/logstash-plugin install logstash-input-github
After a plugin is successfully installed, you can use it in your configuration file.
Plugins have their own release cycles and are often released independently of Logstash’s core release cycle. Using the update subcommand you can get the latest version of the plugin.
If you need to remove plugins from your Logstash installation:
bin/logstash-plugin remove logstash-input-github
Advanced: Adding a locally built pluginedit
In some cases, you may want to install plugins which are not yet released and not hosted on RubyGems.org. Logstash provides you the option to install a locally built plugin which is packaged as a ruby gem. Using a file location:
bin/logstash-plugin install /path/to/logstash-output-kafka-1.0.0.gem
Using the Logstash
--path.plugins flag, you can load a plugin source code located on your file system. Typically this is used by
developers who are iterating on a custom plugin and want to test it before creating a ruby gem.
The path needs to be in a specific directory hierarchy:
PATH/logstash/TYPE/NAME.rb, where TYPE is inputs filters, outputs or codecs and NAME is the name of the plugin.
# supposing the code is in /opt/shared/lib/logstash/inputs/my-custom-plugin-code.rb bin/logstash --path.plugins /opt/shared/lib
Intro to Kibana
ELK for Logs & Metrics