Skip to content

Logstash

Coralogix provides seamless integration with Logstash, so you can send your logs from anywhere and parse them according to your needs.

Prerequisites

Best Practices

We recommend using the generic http output plugin with this integration, given its high level of configurability and metric support for monitoring output.

Installation

STEP 1. Share the Ruby code snippet depicting the event structure as it flows through Logstash.

  • [Optional] Use this opportunity to set dynamic application and subsystem fields.

  • The example below adopts a JSON structure and has these fields: application, subsystem and host.

filter {
  ruby {code => "
                event.set('[@metadata][application]', event.get('application'))
                event.set('[@metadata][subsystem]', event.get('subsystem'))
                event.set('[@metadata][event]', event.to_json)
                event.set('[@metadata][host]', event.get('host'))
                "}
}
  • If you prefer that the fields application, subsystem and host remain static, replace the event.get with a plain string, as in the example below.
filter {
  ruby {code => "
                event.set('[@metadata][application]', MyApplicationName)
                event.set('[@metadata][subsystem]', MySubsystemName)
                event.set('[@metadata][event]', event.to_json)
                event.set('[@metadata][host]', event.get('host'))
                "}
}

STEP 2. Once the Event is ready, configure the output itself to send the logs.

  • Input your Send-Your-Data API key.

  • Choose the https://ingress./logs/v1/singles endpoint that corresponds to your Coralogix domain using the domain selector at the top of the page.

output {
    http {
        url => "https://ingress./logs/v1/singles"
        http_method => "post"
        headers => ["authorization", "Bearer <Coralogix Send-Your-Data API key>"]
        format => "json_batch"
        codec => "json"
        mapping => {
            "applicationName" => "%{[@metadata][application]}"
            "subsystemName" => "%{[@metadata][subsystem]}"
            "computerName" => "%{[@metadata][host]}"
            "text" => "%{[@metadata][event]}"
        }
        http_compression => true
        automatic_retries => 5
        retry_non_idempotent => true
        connect_timeout => 30
        keepalive => false
        }
}

Additional resources

Coralogix EndpointsCoralogix Endpoints