# Logstash

![](https://i.imgflip.com/51za09.jpg)
[Nicsmeme](https://imgflip.com/i/51za09)

### Centralize, transform & stash your data
> Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite "stash."

![](https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt48aca1f4f91f8ee7/5d0ab511b0b16b1c530d26bc/illustration-logstash-header.png)

### Inputs

#### Ingest data of all shapes, sizes, and sources

> Data is often scattered or siloed across many systems in many formats. Logstash supports a variety of [inputs](https://www.elastic.co/guide/en/logstash/current/input-plugins.html) that pull in events from a multitude of common sources, all at the same time. Easily ingest from your logs, metrics, web applications, data stores, and various AWS services, all in continuous, streaming fashion.

![](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt5939ba2e40ba0790/5d0d59d096d2d1b65a98422c/diagram-logstash-inputs.svg)

### Filters

**Parse & transform your data on the fly**

As data travels from source to store, Logstash filters parse each event, identify named fields to build structure, and transform them to converge on a common format for more powerful analysis and business value.

Logstash dynamically transforms and prepares your data regardless of format or complexity:

* Derive structure from unstructured data with grok
* Decipher geo coordinates from IP addresses
* Anonymize PII data, exclude sensitive fields completely
* Ease overall processing, independent of the data source, format, or schema.

![](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltd908f368097df15a/5d0d59ed970556dd5800ed8b/diagram-logstash-filters.svg)

## Outputs

Choose your stash, transport your data
While Elasticsearch is our go-to output that opens up a world of search and analytics possibilities, it’s not the only one available.

Logstash has a variety of [outputs](https://www.elastic.co/guide/en/logstash/current/output-plugins.html) that let you route data where you want, giving you the flexibility to unlock a slew of downstream use cases.

![](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt169c0535507b407e/5d0d5a0fb58121dc58ed6a40/diagram-logstash-outputs.svg)

### Extensibility

### Create and configure your pipeline, your way

Logstash has a pluggable framework featuring over 200 plugins. Mix, match, and orchestrate different inputs, filters, and outputs to work in pipeline harmony.

Build your own plugin using Ruby and package using gem

See [reference](https://www.elastic.co/guide/en/logstash/current/input-new-plugin.html)

## Read the docs 
https://www.elastic.co/guide/en/logstash/current/introduction.html

### Introduction

Logstash is an open source data collection engine with real-time pipelining capabilities. Logstash can dynamically unify data from disparate sources and normalize the data into destinations of your choice. Cleanse and democratize all your data for diverse advanced downstream analytics and visualization use cases.



While Logstash originally drove innovation in log collection, its capabilities extend well beyond that use case. Any type of event can be enriched and transformed with a broad array of input, filter, and output plugins, with many native codecs further simplifying the ingestion process. Logstash accelerates your insights by harnessing a greater volume and variety of data.

![](https://www.elastic.co/guide/en/logstash/8.1/static/images/basic_logstash_pipeline.png)

## Configuration

### Pipelines
A conf file is a configuration for a pipeline.

```conf
# This is a comment. You should use comments to describe
# parts of your configuration.
input {
  ...
}

filter {
  ...
}

output {
  ...
}
```

### Settings

logstash.yml is the setting file YAML format containg control general options for the execution

https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html

```yaml
pipeline:
  batch:
    size: 125
    delay: 50
```

## Logstash on Docker

Elastic provides a ready to use image in Docker Hub

https://hub.docker.com/_/logstash

### Config "Echo Stash"
i.e a simple configuration that echoes the standard input

```conf
input {
  java_stdin {
    id => "tap_in"
  }
}


output 
{
  stdout {}
}
```

### Run 

We will mount the configuration to the docker container at runtime 
```bash
# Must be run from the logstash directory
cd logstash 
docker run --rm -it --hostname="logstash" -v $PWD/pipeline/echostash.conf:/usr/share/logstash/pipeline/logstash.conf -e XPACK_MONITORING_ENABLED=false docker.elastic.co/logstash/logstash:8.13.0
```

Start writing

```json
Ciao
{
      "@version" => "1",
    "@timestamp" => 2024-04-03T19:11:45.546138094Z,
       "message" => "Ciao",
      "hostname" => "logstash"
}
```

## Something more than console ?

Build a new image
```bash
# Must be run from the logstash directory
cd logstash 
docker build . -t tap:logstash
docker run --rm -p 8080:8080 -it --name "logstash" --hostname="logstash" -v $PWD/pipeline/httptofile.conf:/usr/share/logstash/pipeline/logstash.conf -e XPACK_MONITORING_ENABLED=false tap:logstash
```

#### Input
```
input {
  http {
    id => "tap_http_in"
  }
}

```

#### Filter
```
  sentimentalizer {
    source => "message"
  }

  geoip {
    source => "[ip]"
    ecs_compatibility => disabled
  }
```


#### Output
```
 file {
   path => "/tmp/messages"
 }
 ```

#### Run
```bash
curl -X POST -d "Nice" "http://localhost:8080"
```

Get inside container to check /tmp/messages file
```bash
exec -it logstash tail -f /tmp/messages
```

## A look to the guide
https://www.elastic.co/guide/en/logstash/current/index.html