VictoriaMetrics/docs/VictoriaLogs/data-ingestion/Logstash.md

---
weight: 3
title: Logstash setup
disableToc: true
menu:
  docs:
    parent: "victorialogs-data-ingestion"
    weight: 3
aliases:
  - /VictoriaLogs/data-ingestion/Logstash.html
  - /victorialogs/data-ingestion/logstash.html
  - /victorialogs/data-ingestion/Logstash.html
---
VictoriaLogs supports given below Logstash outputs:
- [Elasticsearch](#elasticsearch)
- [Loki](#loki)
- [HTTP JSON](#http)

## Elasticsearch

Specify [`output.elasticsearch`](https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html) section in the `logstash.conf` file
for sending the collected logs to [VictoriaLogs](https://docs.victoriametrics.com/victorialogs/):

```logstash
output {
  elasticsearch {
    hosts => ["http://localhost:9428/insert/elasticsearch/"]
    parameters => {
        "_msg_field" => "message"
        "_time_field" => "@timestamp"
        "_stream_fields" => "host.name,process.name"
    }
  }
}
```

Substitute `localhost:9428` address inside `hosts` with the real TCP address of VictoriaLogs.

See [these docs](https://docs.victoriametrics.com/victorialogs/data-ingestion/#http-parameters) for details on the `parameters` section.

It is recommended verifying whether the initial setup generates the needed [log fields](https://docs.victoriametrics.com/victorialogs/keyconcepts/#data-model)
and uses the correct [stream fields](https://docs.victoriametrics.com/victorialogs/keyconcepts/#stream-fields).
This can be done by specifying `debug` [parameter](https://docs.victoriametrics.com/victorialogs/data-ingestion/#http-parameters)
and inspecting VictoriaLogs logs then:

```logstash
output {
  elasticsearch {
    hosts => ["http://localhost:9428/insert/elasticsearch/"]
    parameters => {
        "_msg_field" => "message"
        "_time_field" => "@timestamp"
        "_stream_fields" => "host.name,process.name"
        "debug" => "1"
    }
  }
}
```

If some [log fields](https://docs.victoriametrics.com/victorialogs/keyconcepts/#data-model) must be skipped
during data ingestion, then they can be put into `ignore_fields` [parameter](https://docs.victoriametrics.com/victorialogs/data-ingestion/#http-parameters).
For example, the following config instructs VictoriaLogs to ignore `log.offset` and `event.original` fields in the ingested logs:

```logstash
output {
  elasticsearch {
    hosts => ["http://localhost:9428/insert/elasticsearch/"]
    parameters => {
        "_msg_field" => "message"
        "_time_field" => "@timestamp"
        "_stream_fields" => "host.hostname,process.name"
        "ignore_fields" => "log.offset,event.original"
    }
  }
}
```

If the Logstash sends logs to VictoriaLogs in another datacenter, then it may be useful enabling data compression via `http_compression: true` option.
This usually allows saving network bandwidth and costs by up to 5 times:

```logstash
output {
  elasticsearch {
    hosts => ["http://localhost:9428/insert/elasticsearch/"]
    parameters => {
        "_msg_field" => "message"
        "_time_field" => "@timestamp"
        "_stream_fields" => "host.hostname,process.name"
    }
    http_compression => true
  }
}
```

By default, the ingested logs are stored in the `(AccountID=0, ProjectID=0)` [tenant](https://docs.victoriametrics.com/victorialogs/#multitenancy).
If you need storing logs in other tenant, then specify the needed tenant via `custom_headers` at `output.elasticsearch` section.
For example, the following `logstash.conf` config instructs Logstash to store the data to `(AccountID=12, ProjectID=34)` tenant:

```logstash
output {
  elasticsearch {
    hosts => ["http://localhost:9428/insert/elasticsearch/"]
    custom_headers => {
        "AccountID" => "1"
        "ProjectID" => "2"
    }
    parameters => {
        "_msg_field" => "message"
        "_time_field" => "@timestamp"
        "_stream_fields" => "host.hostname,process.name"
    }
  }
}
```

## Loki

Specify [`output.loki`](https://grafana.com/docs/loki/latest/send-data/logstash/) section in the `logstash.conf` file
for sending the collected logs to [VictoriaLogs](https://docs.victoriametrics.com/victorialogs/):

```conf
output {
  loki {
     url => "http://victorialogs:9428/insert/loki/api/v1/push?_stream_fields=host.ip,process.name&_msg_field=message&_time_field=@timestamp"
  }
}
```

## HTTP

Specify [`output.http`](https://www.elastic.co/guide/en/logstash/current/plugins-outputs-http.html) section in the `logstash.conf` file
for sending the collected logs to [VictoriaLogs](https://docs.victoriametrics.com/victorialogs/):

```conf
output {
  url => "http://victorialogs:9428/insert/jsonline?_stream_fields=host.ip,process.name&_msg_field=message&_time_field=@timestamp"
  format => "json"
  http_method => "post"
}
```

See also:

- [Data ingestion troubleshooting](https://docs.victoriametrics.com/victorialogs/data-ingestion/#troubleshooting).
- [How to query VictoriaLogs](https://docs.victoriametrics.com/victorialogs/querying/).
- [Logstash `output.elasticsearch` docs](https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html).
- [Docker-compose demo for Logstash integration with VictoriaLogs](https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/deployment/docker/victorialogs/logstash).
docs: victorialogs add front-matter for data-ingestion items Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2023-07-14 20:06:27 +00:00			`---`
			`weight: 3`
			`title: Logstash setup`
docs: logs disable table of content for pages with no h2-h6, add aliases Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2023-07-14 20:56:38 +00:00			`disableToc: true`
docs: victorialogs add front-matter for data-ingestion items Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2023-07-14 20:06:27 +00:00			`menu:`
			`docs:`
			`parent: "victorialogs-data-ingestion"`
			`weight: 3`
docs: logs disable table of content for pages with no h2-h6, add aliases Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2023-07-14 20:56:38 +00:00			`aliases:`
			`- /VictoriaLogs/data-ingestion/Logstash.html`
docs: add more redirects Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2024-06-14 10:32:12 +00:00			`- /victorialogs/data-ingestion/logstash.html`
			`- /victorialogs/data-ingestion/Logstash.html`
docs: victorialogs add front-matter for data-ingestion items Signed-off-by: Artem Navoiev <tenmozes@gmail.com> 2023-07-14 20:06:27 +00:00			`---`
app/vlinsert: support getting _msg_field, _time_field, _stream_fields and _ignore_fields from headers * Many collectors don't support forwarding url query params to the remote system. It makes impossible to define stream fields for it. Workaround with proxy between VictoriaLogs and log shipper is too complicated solution. * This commit adds the following changes: * Adds fallback to to headers params, if query param is empty for: _msg_field -> VL-Msg-Field _stream_fields -> VL-Stream-Fields _ignore_fields -> VL-Ignore-Fields _time_field -> VL-Time-Field * removes deprecations from victorialogs compose files, added more output format examples for logstash, telegraf, fluent-bit related issue: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5310 2024-09-03 15:43:26 +00:00			`VictoriaLogs supports given below Logstash outputs:`
			`- [Elasticsearch](#elasticsearch)`
			`- [Loki](#loki)`
			`- [HTTP JSON](#http)`

			`## Elasticsearch`

docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			Specify [`output.elasticsearch`](https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html) section in the `logstash.conf` file
lib/logstorage: work-in-progress 2024-05-24 22:30:58 +00:00			`for sending the collected logs to [VictoriaLogs](https://docs.victoriametrics.com/victorialogs/):`
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00
view documentation locally (#6677) ### Describe Your Changes - moved files from root to VictoriaMetrics folder to be able to mount operator docs and VictoriaMetrics docs independently - added ability to run website locally ### Checklist The following checks are mandatory: - [ ] My change adheres [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/contributing/). 2024-07-24 08:00:31 +00:00			```logstash
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			`output {`
			`elasticsearch {`
			`hosts => ["http://localhost:9428/insert/elasticsearch/"]`
			`parameters => {`
			`"_msg_field" => "message"`
			`"_time_field" => "@timestamp"`
			`"_stream_fields" => "host.name,process.name"`
			`}`
			`}`
			`}`
			```

			Substitute `localhost:9428` address inside `hosts` with the real TCP address of VictoriaLogs.

lib/logstorage: work-in-progress 2024-05-24 22:30:58 +00:00			See [these docs](https://docs.victoriametrics.com/victorialogs/data-ingestion/#http-parameters) for details on the `parameters` section.
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00
lib/logstorage: work-in-progress 2024-05-24 22:30:58 +00:00			`It is recommended verifying whether the initial setup generates the needed [log fields](https://docs.victoriametrics.com/victorialogs/keyconcepts/#data-model)`
			`and uses the correct [stream fields](https://docs.victoriametrics.com/victorialogs/keyconcepts/#stream-fields).`
			This can be done by specifying `debug` [parameter](https://docs.victoriametrics.com/victorialogs/data-ingestion/#http-parameters)
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			`and inspecting VictoriaLogs logs then:`

view documentation locally (#6677) ### Describe Your Changes - moved files from root to VictoriaMetrics folder to be able to mount operator docs and VictoriaMetrics docs independently - added ability to run website locally ### Checklist The following checks are mandatory: - [ ] My change adheres [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/contributing/). 2024-07-24 08:00:31 +00:00			```logstash
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			`output {`
			`elasticsearch {`
			`hosts => ["http://localhost:9428/insert/elasticsearch/"]`
			`parameters => {`
			`"_msg_field" => "message"`
			`"_time_field" => "@timestamp"`
			`"_stream_fields" => "host.name,process.name"`
			`"debug" => "1"`
			`}`
			`}`
			`}`
			```

lib/logstorage: work-in-progress 2024-05-24 22:30:58 +00:00			`If some [log fields](https://docs.victoriametrics.com/victorialogs/keyconcepts/#data-model) must be skipped`
			during data ingestion, then they can be put into `ignore_fields` [parameter](https://docs.victoriametrics.com/victorialogs/data-ingestion/#http-parameters).
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			For example, the following config instructs VictoriaLogs to ignore `log.offset` and `event.original` fields in the ingested logs:

view documentation locally (#6677) ### Describe Your Changes - moved files from root to VictoriaMetrics folder to be able to mount operator docs and VictoriaMetrics docs independently - added ability to run website locally ### Checklist The following checks are mandatory: - [ ] My change adheres [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/contributing/). 2024-07-24 08:00:31 +00:00			```logstash
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			`output {`
			`elasticsearch {`
			`hosts => ["http://localhost:9428/insert/elasticsearch/"]`
			`parameters => {`
			`"_msg_field" => "message"`
			`"_time_field" => "@timestamp"`
			`"_stream_fields" => "host.hostname,process.name"`
			`"ignore_fields" => "log.offset,event.original"`
			`}`
			`}`
			`}`
			```

			If the Logstash sends logs to VictoriaLogs in another datacenter, then it may be useful enabling data compression via `http_compression: true` option.
			`This usually allows saving network bandwidth and costs by up to 5 times:`

view documentation locally (#6677) ### Describe Your Changes - moved files from root to VictoriaMetrics folder to be able to mount operator docs and VictoriaMetrics docs independently - added ability to run website locally ### Checklist The following checks are mandatory: - [ ] My change adheres [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/contributing/). 2024-07-24 08:00:31 +00:00			```logstash
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			`output {`
			`elasticsearch {`
			`hosts => ["http://localhost:9428/insert/elasticsearch/"]`
			`parameters => {`
			`"_msg_field" => "message"`
			`"_time_field" => "@timestamp"`
			`"_stream_fields" => "host.hostname,process.name"`
			`}`
			`http_compression => true`
			`}`
			`}`
			```

lib/logstorage: work-in-progress 2024-05-24 22:30:58 +00:00			By default, the ingested logs are stored in the `(AccountID=0, ProjectID=0)` [tenant](https://docs.victoriametrics.com/victorialogs/#multitenancy).
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			If you need storing logs in other tenant, then specify the needed tenant via `custom_headers` at `output.elasticsearch` section.
			For example, the following `logstash.conf` config instructs Logstash to store the data to `(AccountID=12, ProjectID=34)` tenant:

view documentation locally (#6677) ### Describe Your Changes - moved files from root to VictoriaMetrics folder to be able to mount operator docs and VictoriaMetrics docs independently - added ability to run website locally ### Checklist The following checks are mandatory: - [ ] My change adheres [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/contributing/). 2024-07-24 08:00:31 +00:00			```logstash
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00			`output {`
			`elasticsearch {`
			`hosts => ["http://localhost:9428/insert/elasticsearch/"]`
			`custom_headers => {`
			`"AccountID" => "1"`
			`"ProjectID" => "2"`
			`}`
			`parameters => {`
			`"_msg_field" => "message"`
			`"_time_field" => "@timestamp"`
			`"_stream_fields" => "host.hostname,process.name"`
			`}`
			`}`
			`}`
			```

app/vlinsert: support getting _msg_field, _time_field, _stream_fields and _ignore_fields from headers * Many collectors don't support forwarding url query params to the remote system. It makes impossible to define stream fields for it. Workaround with proxy between VictoriaLogs and log shipper is too complicated solution. * This commit adds the following changes: * Adds fallback to to headers params, if query param is empty for: _msg_field -> VL-Msg-Field _stream_fields -> VL-Stream-Fields _ignore_fields -> VL-Ignore-Fields _time_field -> VL-Time-Field * removes deprecations from victorialogs compose files, added more output format examples for logstash, telegraf, fluent-bit related issue: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5310 2024-09-03 15:43:26 +00:00			`## Loki`

			Specify [`output.loki`](https://grafana.com/docs/loki/latest/send-data/logstash/) section in the `logstash.conf` file
			`for sending the collected logs to [VictoriaLogs](https://docs.victoriametrics.com/victorialogs/):`

			```conf
			`output {`
			`loki {`
			`url => "http://victorialogs:9428/insert/loki/api/v1/push?_stream_fields=host.ip,process.name&_msg_field=message&_time_field=@timestamp"`
			`}`
			`}`
			```

			`## HTTP`

			Specify [`output.http`](https://www.elastic.co/guide/en/logstash/current/plugins-outputs-http.html) section in the `logstash.conf` file
			`for sending the collected logs to [VictoriaLogs](https://docs.victoriametrics.com/victorialogs/):`

			```conf
			`output {`
			`url => "http://victorialogs:9428/insert/jsonline?_stream_fields=host.ip,process.name&_msg_field=message&_time_field=@timestamp"`
			`format => "json"`
			`http_method => "post"`
			`}`
			```

docs/VictoriaLogs/data-ingestion: small fixes 2023-06-22 01:31:50 +00:00			`See also:`
docs/VictoriaLogs: change the structure of the docs in order to be more maintainable The change is based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4477 2023-06-21 05:08:19 +00:00
lib/logstorage: work-in-progress 2024-05-24 22:30:58 +00:00			`- [Data ingestion troubleshooting](https://docs.victoriametrics.com/victorialogs/data-ingestion/#troubleshooting).`
			`- [How to query VictoriaLogs](https://docs.victoriametrics.com/victorialogs/querying/).`
docs/VictoriaLogs/data-ingestion: small fixes 2023-06-22 01:31:50 +00:00			- [Logstash `output.elasticsearch` docs](https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html).
			`- [Docker-compose demo for Logstash integration with VictoriaLogs](https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/deployment/docker/victorialogs/logstash).`