Logstash
Introduction
Fluent-bit has not an output for Logstash, but we can send records to Logstash by using it HTTP Output plugin and configuring the Logstash HTTP input plugin from Logstash side.
Getting started
Configuration files
In your fluent-bit
main configuration file append the following Output section:
[OUTPUT]
Name http
Match *
Host 192.168.2.3
Port 12345
Format json
where:
Host
: is the IP address or hostname of the target Logstash HTTP input server.Port
: is the TCP port of the target Logstash HTTP input server.Format
: is the communication format. Logstash added support to msgpack codec, but it seems to be uncompatible withfluent-bit
format. Due to that, we have to usejson
format to transmit data fromfluent-bit
to `logstash.
In your logstash
pipeline configuration file, append the following Input and Filter sections:
input {
http {
port => 12345
add_field => { "[@metadata][input-http]" => "" }
}
}
filter {
if [@metadata][input-http] {
date {
match => [ "date", "UNIX" ]
remove_field => [ "date" ]
}
mutate {
remove_field => ["headers","host"]
}
}
}
where:
input.http.port
: is the TCP port to bind to.
By default Fluent Bit sends timestamp information on the date
field, but Logstash expects date information on @timestamp
field. In order to use date
field as a timestamp, we have to identify records providing from Fluent Bit. We can do it by adding metadata to records present on this input by add_field => { "[@metadata][input-http]" => "" }
. Then, we can use the date filter plugin to convert date
field to @timestamp
, but only when records provide from this http input (via conditional if [@metadata][input-http] { ··· }
).
On the other hand, Logstash HTTP input plugin adds to each record information about http requester (fluent-bit in our case). As we don't need this information, we can remove it by using the mutate plugin and removing fields headers
& host
(these fields are customisable on logstash input filter by setting request_headers_target_field
and remote_host_target_field
respectively).
Security
Previous configuration uses plain HTTP communication, which is insecure and can be intercepted. We can increase security by enabling TLS/SSL and adding basic authentication.
In your fluent-bit
main configuration append the folloging Output section:
[OUTPUT]
Name http
Match *
Host 192.168.2.3
Port 12345
Format json
HTTP_User user
HTTP_Passwd password
tls On
tls.verify Off
where:
HTTP_User
: is the Basic Auth Username.HTTP_Passwd
: is the Basic Auth Password.tls.*
: corresponds to the TLS / SSL configuration. In our case, we gonna enable TLS communication without forcing the certificate validation because we gonna use a self-signed certificate. If you want to validate server certificate, configure it according to documentation.
In your logstash
pipeline configuration file, append the following Input and Filter sections:
input {
http {
port => 12345
add_field => { "[@metadata][input-http]" => "" }
user => "user"
password => "password"
ssl => true
ssl_certificate => "/etc/logstash/http-input.crt"
ssl_key => "/etc/logstash/http-input.key"
ssl_key_passphrase => "ssl_passphtrase"
}
}
filter {
if [@metadata][input-http] {
date {
match => [ "date", "UNIX" ]
remove_field => [ "date" ]
}
mutate {
remove_field => ["headers","host"]
}
}
}
where:
input.http.user
: is the user for basic authorization.input.http.password
: is the password for basic authorization.input.http.ssl*
: corresponds to the TLS / SSL configuration. Current Logstash http input version (v3.2.0
released on2018-05-10
) only accepts PCK8 certificate format. We can create a valid self-signed certificate via:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out /etc/logstash/http-input.crt -days 365
openssl pkcs8 -in key.pem -topk8 -out /etc/logstash/http-input.key
Last updated