Skip to content
Fluentd plugin for Elastic beats
Branch: master
Clone or download
Latest commit 969dcea May 14, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib Make ssl_ciphers and ssl_version optional May 14, 2019
test Add test for configuration May 14, 2019
Gemfile Implement beats input plugin Dec 17, 2015
LICENSE Initial commit Dec 17, 2015 Add ssl_ciphers and ssl_version May 14, 2019
Rakefile Add a basic set of tests for 'in_beat' plugin. Apr 5, 2018
VERSION v1.1.0 May 14, 2019
fluent-plugin-beats.gemspec Relax concurrent-ruby gem version. fix #10 Jun 21, 2018


Fluentd plugin to accept events from Elastic Beats.

This plugin uses lumberjack protocol for communicating with each beat.


fluent-plugin-beats fluentd ruby
>= 1.0.0 >= v1.0.0 >= 2.1
< 1.0.0 >= v0.12.0 >= 1.9


$ gem install fluent-plugin-beats --no-document


Configuration example:

  @type beats

# Forward all events from beats to each index on elasticsearch
<match *beat>
  @type elasticsearch_dynamic
  logstash_format true
  logstash_prefix ${tag_parts[0]}
  type_name ${record['type']}


The port to listen to. Default Value is 5044.

If you use this plugin under multi-process environment in v1, the plugin will be launched in each worker. Port is assigned in sequential number, e.g. 5044, 5045 ... 504N.


The bind address to listen to. Default Value is (all addresses)


The tag of the event.


Use record['@metadata']['beat'] value instead of fixed tag.


The format of the log. This format is used for message field of filebeat event. See Parser article for more detail:


Limit the number of connections from beat instances. Default is unlimited.

use_ssl, ssl_certificate, ssl_key, ssl_key_passphrase, ssl_version, ssl_ciphers

For lumberjack protocol.


  • lumberjack directory is copied from logstash-input-beats and bit modified.
    • Add Server::Connection#closed? to check connection is dead or not
    • Remove id_stream argument from Server::Connection#run block
  • From lumberjack limitation, this plugin launches one thread for each connection. You can mitigate this problem by max_connections.


Talk at Elasticsearch meetup #14: Fluentd meets Beats

You can’t perform that action at this time.