github.com/yankunsam/loki/v2@v2.6.3-0.20220817130409-389df5235c27/docs/sources/clients/logstash/_index.md (about) 1 --- 2 title: Logstash 3 weight: 70 4 --- 5 # Logstash 6 7 Grafana Loki has a [Logstash](https://www.elastic.co/logstash) output plugin called 8 `logstash-output-loki` that enables shipping logs to a Loki 9 instance or [Grafana Cloud](https://grafana.com/products/cloud/). 10 11 ## Installation 12 13 ### Local 14 15 If you need to install the Loki output plugin manually you can do simply so by using the command below: 16 17 ```bash 18 $ bin/logstash-plugin install logstash-output-loki 19 ``` 20 21 This will download the latest gem for the output plugin and install it in logstash. 22 23 ### Docker 24 25 We also provide a docker image on [docker hub](https://hub.docker.com/r/grafana/logstash-output-loki). The image contains logstash and the Loki output plugin 26 already pre-installed. 27 28 For example if you want to run logstash in docker with the `loki.conf` as pipeline configuration you can use the command bellow : 29 30 ```bash 31 docker run -v `pwd`/loki-test.conf:/home/logstash/ --rm grafana/logstash-output-loki:1.0.1 -f loki-test.conf 32 ``` 33 34 ### Kubernetes 35 36 We also provide default helm values for scraping logs with Filebeat and forward them to Loki with logstash in our `loki-stack` umbrella chart. 37 You can switch from Promtail to logstash by using the following command: 38 39 ```bash 40 helm upgrade --install loki loki/loki-stack \ 41 --set filebeat.enabled=true,logstash.enabled=true,promtail.enabled=false \ 42 --set loki.fullnameOverride=loki,logstash.fullnameOverride=logstash-loki 43 ``` 44 45 This will automatically scrape all pods logs in the cluster and send them to Loki with Kubernetes metadata attached as labels. 46 You can use the [`values.yaml`](https://github.com/grafana/helm-charts/blob/main/charts/loki-stack/values.yaml) file as a starting point for your own configuration. 47 48 ## Usage and Configuration 49 50 To configure Logstash to forward logs to Loki, simply add the `loki` output to your [Logstash configuration file](https://www.elastic.co/guide/en/logstash/current/configuration-file-structure.html) as documented below : 51 52 ```conf 53 output { 54 loki { 55 [url => "" | default = none | required=true] 56 57 [tenant_id => string | default = nil | required=false] 58 59 [message_field => string | default = "message" | required=false] 60 61 [include_fields => array | default = [] | required=false] 62 63 [batch_wait => number | default = 1(s) | required=false] 64 65 [batch_size => number | default = 102400(bytes) | required=false] 66 67 [min_delay => number | default = 1(s) | required=false] 68 69 [max_delay => number | default = 300(s) | required=false] 70 71 [retries => number | default = 10 | required=false] 72 73 [username => string | default = nil | required=false] 74 75 [password => secret | default = nil | required=false] 76 77 [cert => path | default = nil | required=false] 78 79 [key => path | default = nil| required=false] 80 81 [ca_cert => path | default = nil | required=false] 82 83 [insecure_skip_verify => boolean | default = false | required=false] 84 } 85 } 86 ``` 87 88 By default Loki will create entry from event fields it receives. 89 A logstash event as shown below. 90 91 ```conf 92 { 93 "@timestamp" => 2017-04-26T19:33:39.257Z, 94 "src" => "localhost", 95 "@version" => "1", 96 "host" => "localhost.localdomain", 97 "pid" => "1", 98 "message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...", 99 "type" => "stdin", 100 "prog" => "systemd", 101 } 102 ``` 103 104 Contains a `message` and `@timestamp` fields, which are respectively used to form the Loki entry log line and timestamp. 105 106 > You can use a different property for the log line by using the configuration property [`message_field`](#message_field). If you also need to change the timestamp value use the Logstash `date` filter to change the `@timestamp` field. 107 108 All other fields (except nested fields) will form the label set (key value pairs) attached to the log line. [This means you're responsible for mutating and dropping high cardinality labels](https://grafana.com/blog/2020/04/21/how-labels-in-loki-can-make-log-queries-faster-and-easier/) such as client IPs. 109 You can usually do so by using a [`mutate`](https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html) filter. 110 111 **Note:** In version 1.1.0 and greater of this plugin you can also specify a list of labels to allowlist via the `include_fields` configuration. 112 113 For example the configuration below : 114 115 ```conf 116 input { 117 ... 118 } 119 120 filter { 121 mutate { 122 add_field => { 123 "cluster" => "us-central1" 124 "job" => "logstash" 125 } 126 replace => { "type" => "stream"} 127 remove_field => ["src"] 128 } 129 } 130 output { 131 loki { 132 url => "http://myloki.domain:3100/loki/api/v1/push" 133 } 134 } 135 ``` 136 137 Will add `cluster` and `job` static labels, remove `src` fields and replace `type` to be named `stream`. 138 139 If you want to include nested fields or metadata fields (starting with `@`) you need to rename them. 140 141 For example when using Filebeat with the [`add_kubernetes_metadata`](https://www.elastic.co/guide/en/beats/filebeat/current/add-kubernetes-metadata.html) processor, it will attach Kubernetes metadata to your events like below: 142 143 ```json 144 { 145 "kubernetes" : { 146 "labels" : { 147 "app" : "MY-APP", 148 "pod-template-hash" : "959f54cd", 149 "serving" : "true", 150 "version" : "1.0", 151 "visualize" : "true" 152 }, 153 "pod" : { 154 "uid" : "e20173cb-3c5f-11ea-836e-02c1ee65b375", 155 "name" : "MY-APP-959f54cd-lhd5p" 156 }, 157 "node" : { 158 "name" : "ip-xxx-xx-xx-xxx.ec2.internal" 159 }, 160 "container" : { 161 "name" : "istio" 162 }, 163 "namespace" : "production", 164 "replicaset" : { 165 "name" : "MY-APP-959f54cd" 166 } 167 }, 168 "message": "Failed to parse configuration", 169 "@timestamp": "2017-04-26T19:33:39.257Z", 170 } 171 ``` 172 173 The filter below show you how to extract those Kubernetes fields into labels (`container_name`,`namespace`,`pod` and `host`): 174 175 ```conf 176 filter { 177 if [kubernetes] { 178 mutate { 179 add_field => { 180 "container_name" => "%{[kubernetes][container][name]}" 181 "namespace" => "%{[kubernetes][namespace]}" 182 "pod" => "%{[kubernetes][pod][name]}" 183 } 184 replace => { "host" => "%{[kubernetes][node][name]}"} 185 } 186 } 187 mutate { 188 remove_field => ["tags"] 189 } 190 } 191 ``` 192 193 ### Configuration Properties 194 195 #### url 196 197 The url of the Loki server to send logs to. 198 When sending data the push path need to also be provided e.g. `http://localhost:3100/loki/api/v1/push`. 199 200 If you want to send to [GrafanaCloud](https://grafana.com/products/cloud/) you would use `https://logs-prod-us-central1.grafana.net/loki/api/v1/push`. 201 202 #### username / password 203 204 Specify a username and password if the Loki server requires basic authentication. 205 If using the [GrafanaLab's hosted Loki](https://grafana.com/products/cloud/), the username needs to be set to your instance/user id and the password should be a Grafana.com api key. 206 207 #### message_field 208 209 Message field to use for log lines. You can use logstash key accessor language to grab nested property, for example : `[log][message]`. 210 211 #### include_fields 212 213 An array of fields which will be mapped to labels and sent to Loki, when this list is configured **only** these fields will be sent, all other fields will be ignored. 214 215 #### batch_wait 216 217 Interval in seconds to wait before pushing a batch of records to Loki. This means even if the [batch size](#batch_size) is not reached after `batch_wait` a partial batch will be sent, this is to ensure freshness of the data. 218 219 #### batch_size 220 221 Maximum batch size to accrue before pushing to loki. Defaults to 102400 bytes 222 223 #### Backoff config 224 225 ##### min_delay => 1(1s) 226 227 Initial backoff time between retries 228 229 ##### max_delay => 300(5m) 230 231 Maximum backoff time between retries 232 233 ##### retries => 10 234 235 Maximum number of retries to do. Setting it to `0` will retry indefinitely. 236 237 #### tenant_id 238 239 Loki is a multi-tenant log storage platform and all requests sent must include a tenant. For some installations the tenant will be set automatically by an authenticating proxy. Otherwise you can define a tenant to be passed through. The tenant can be any string value. 240 241 #### client certificate verification 242 243 Specify a pair of client certificate and private key with `cert` and `key` if a reverse proxy with client certificate verification is configured in front of Loki. `ca_cert` can also be specified if the server uses custom certificate authority. 244 245 ### insecure_skip_verify 246 247 A flag to disable server certificate verification. By default it is set to `false`. 248 249 ### Full configuration example 250 251 ```conf 252 input { 253 beats { 254 port => 5044 255 } 256 } 257 258 filter { 259 if [kubernetes] { 260 mutate { 261 add_field => { 262 "container_name" => "%{[kubernetes][container][name]}" 263 "namespace" => "%{[kubernetes][namespace]}" 264 "pod" => "%{[kubernetes][pod][name]}" 265 } 266 replace => { "host" => "%{[kubernetes][node][name]}"} 267 } 268 } 269 mutate { 270 remove_field => ["tags"] # Note: with include_fields defined below this wouldn't be necessary 271 } 272 } 273 274 output { 275 loki { 276 url => "https://logs-prod-us-central1.grafana.net/loki/api/v1/push" 277 username => "3241" 278 password => "REDACTED" 279 batch_size => 112640 #112.64 kilobytes 280 retries => 5 281 min_delay => 3 282 max_delay => 500 283 message_field => "message" 284 include_fields => ["container_name","namespace","pod","host"] 285 } 286 # stdout { codec => rubydebug } 287 } 288 ```