Loading

Gelf output plugin

Stack

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

This output generates messages in GELF format. This is most useful if you want to use Logstash to output events to Graylog2.

More information at The Graylog2 GELF specs page

This plugin supports the following configuration options plus the Common options described later.

Also see Common options for a list of options supported by all output plugins.

  • Value type is number
  • Default value is 1420

The chunksize. You usually don’t need to change this.

  • Value type is hash
  • Default value is {}

The GELF custom field mappings. GELF supports arbitrary attributes as custom fields. This exposes that. Exclude the _ portion of the field name e.g. custom_fields => ['foo_field', 'some_value'] sets _foo_field = some_value.

  • Value type is string
  • Default value is "%{message}"

The GELF full message. Dynamic values like %{foo} are permitted here.

  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

Graylog2 server IP address or hostname.

  • Value type is array
  • Default value is ["@timestamp", "@version", "severity", "host", "source_host", "source_path", "short_message"]

Ignore these fields when ship_metadata is set. Typically this lists the fields used in dynamic values for GELF fields.

  • Value type is array
  • Default value is ["%{severity}", "INFO"]

The GELF message level. Dynamic values like %{level} are permitted here; useful if you want to parse the log level from an event and use that as the GELF level/severity.

Values here can be integers [0..7] inclusive or any of "debug", "info", "warn", "error", "fatal" (case insensitive). Single-character versions of these are also valid, "d", "i", "w", "e", "f", "u" The following additional severity\_labels from Logstash’s syslog\_pri filter are accepted: "emergency", "alert", "critical", "warning", "notice", and "informational".

  • Value type is number
  • Default value is 12201

Graylog2 server port number.

By default, this plugin outputs via the UDP transfer protocol, but can be configured to use TCP instead.

  • Value type is string
  • Default value is "UDP"

Values here can be either "TCP" or "UDP".

  • Value type is string
  • Default value is "%{host}"

Allow overriding of the GELF sender field. This is useful if you want to use something other than the event’s source host as the "sender" of an event. A common case for this is using the application name instead of the hostname.

  • Value type is boolean
  • Default value is true

Should Logstash ship metadata within event object? This will cause Logstash to ship any fields in the event (such as those created by grok) in the GELF messages. These will be sent as underscored "additional fields".

  • Value type is boolean
  • Default value is true

Ship tags within events. This will cause Logstash to ship the tags of an event as the field _tags.

  • Value type is string
  • Default value is "short_message"

The GELF short message field name. If the field does not exist or is empty, the event message is taken instead.

These configuration options are supported by all output plugins:

Setting Input type Required
codec codec No
enable_metric boolean No
id string No
  • Value type is codec
  • Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output without needing a separate filter in your Logstash pipeline.

  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type. For example, if you have 2 gelf outputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

output {
  gelf {
    id => "my_plugin_id"
  }
}