Logstash

Logstash provides a lightweight agent for forwarding logs from various sources. You configure the sources using input plugins and output data using output plugins. For more information on input plugins, see Logstash Input Plugins documentation.

Installation

Observe works with the OSS version of Logstash, which may be downloaded at Logstash Downloads. The Logstash setup and run guides can be found here: Logstash Setup and Run Guide.

Requirements

To use Logstash, you need the following information:

1. Your Observe Customer ID

2. Your Observe ingest token

Note

Some Observe instances may optionally use a name instead of Customer ID; if this is the case for your instance, contact your Observe Data Engineer to discuss implementation. A stem name will work as is, but a DNS redirect name may require client configuration.

Configuration

1. Configure an output plugin to forward data to Observe by adding the following output configuration to your logstash.conf file and providing your Observe Customer ID and Ingest Token where indicated.

   output {
      elasticsearch {
          hosts => [ "https://${OBSERVE_CUSTOMER}.collect.observeinc.com:443/v1/elastic" ] 
          custom_headers => { "Authorization" => "Bearer ${OBSERVE_TOKEN}" }
          ssl => true
          http_compression => true
      }
   }
   

Retry on failure

Logstash supports retries. See the Logstash documentation for more information.