This output generates messages in GELF format. This is most useful if you want to use Logstash to output events to Graylog2.
More information at http://graylog2.org/gelf#specs
output {
gelf {
chunksize => ... # number (optional), default: 1420
codec => ... # codec (optional), default: "plain"
custom_fields => ... # hash (optional), default: {}
full_message => ... # string (optional), default: "%{message}"
host => ... # string (required)
ignore_metadata => ... # array (optional), default: ["@timestamp", "@version", "severity", "host", "source_host", "source_path", "short_message"]
level => ... # array (optional), default: ["%{severity}", "INFO"]
port => ... # number (optional), default: 12201
sender => ... # string (optional), default: "%{host}"
ship_metadata => ... # boolean (optional), default: true
ship_tags => ... # boolean (optional), default: true
short_message => ... # string (optional), default: "short_message"
workers => ... # number (optional), default: 1
}
}
The GELF chunksize. You usually don’t need to change this.
The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.
The GELF custom field mappings. GELF supports arbitrary attributes as custom
fields. This exposes that. Exclude the _
portion of the field name
e.g. custom_fields => ['foo_field', 'some_value']
sets
_foo_field =
some_value`.
Only handle events without any of these tags. Note this check is additional to type and tags.
The GELF facility. Dynamic values like %{foo} are permitted here; this
is useful if you need to use a value from the event as the facility name.
Should now be sent as an underscored “additional field” (e.g. \_facility
)
The GELF file; this is usually the source code file in your program where
the log event originated. Dynamic values like %{foo} are permitted here.
Should now be sent as an underscored “additional field” (e.g. \_file
).
The GELF full message. Dynamic values like %{foo} are permitted here.
Graylog2 server IP address or hostname.
Ignore these fields when ship_metadata
is set. Typically this lists the
fields used in dynamic values for GELF fields.
The GELF message level. Dynamic values like %{level} are permitted here; useful if you want to parse the ‘log level’ from an event and use that as the GELF level/severity.
Values here can be integers [0..7] inclusive or any of “debug”, “info”, “warn”, “error”, “fatal” (case insensitive). Single-character versions of these are also valid, “d”, “i”, “w”, “e”, “f”, “u” The following additional severity_labels from Logstash’s syslog_pri filter are accepted: “emergency”, “alert”, “critical”, “warning”, “notice”, and “informational”.
The GELF line number; this is usually the line number in your program where
the log event originated. Dynamic values like %{foo} are permitted here, but the
value should be a number.
Should now be sent as an underscored “additional field” (e.g. \_line
).
Graylog2 server port number.
Allow overriding of the GELF sender
field. This is useful if you
want to use something other than the event’s source host as the
“sender” of an event. A common case for this is using the application name
instead of the hostname.
Should Logstash ship metadata within event object? This will cause Logstash to ship any fields in the event (such as those created by grok) in the GELF messages. These will be sent as underscored “additional fields”.
Ship tags within events. This will cause Logstash to ship the tags of an
event as the field \_tags
.
The GELF short message field name. If the field does not exist or is empty, the event message is taken instead.
Only handle events with all of these tags. Note that if you specify a type, the event must also match that type. Optional.
The type to act on. If a type is given, then this output will only act on messages with the same type. See any input plugin’s “type” attribute for more. Optional.
The number of workers to use for this output. Note that this setting may not be useful for all outputs.