Setting up Logstash Logs Ingestion
Last updated on 09 January, 2023This output plugin sends Logstash events to the LogicMonitor logs ingestion API. You can also install the Logstash Monitoring LogicModules for added visibility into your Logstash metrics alongside the logs.
Prerequisites
- LogicMonitor account name.
- LogicMonitor API access tokens.
Installing the Plugin
The Logstash plugin can be installed through Ruby Gems. Run the following command on your Logstash instance:
logstash-plugin install logstash-output-lmlogsConfiguring the Plugin
The following is an example of the minimum configuration needed for the Logstash plugin. You can add more settings into the configuration file. See the parameters tables in the following.
output {
lmlogs {
access_id => "access_id"
access_key => "access_key"
portal_name => "account-name"
property_key => "hostname"
lm_property => "system.sysname"
}
}Including and Excluding Metadata
By default, all metadata is included in the logs sent to LM Logs. You can also use the include_metadata parameter to include or exclude metadata fields. Add this parameter to the logstash.config file. If set to false, metadata fields will not be sent to the LM Logs ingestion. Default value is “true”.
You can also exclude specific metadata by adding the following to the logstash.config file:
filter { mutate
{ remove_field => [ "[event][sequence]" ]}
}For more information, see the Logstash documentation.
Note: From version 1.1.0 of the Logstash plugin all metadata is included by default. The include_metadata parameter is introduced with version 1.2.0.
Required Parameters
| Name | Description | Default |
| access_id | Username to use for HTTP authentication. | N/A |
| access_key | Password to use for HTTP authentication. | N/A |
| portal_name | The LogicMonitor portal account name. | N/A |
Optional Parameters
| Name | Description | Default |
| batch_size | The number of events to send to LM Logs at one time. Increasing the batch size can increase throughput by reducing HTTP overhead. | 100 |
| keep_timestamp | If false, LM Logs will use the ingestion timestamp as the even timestamp. | true |
| lm_property | Specify the key that will be used by LogicMonitor to match a resource based on property. | system.hostname |
| message_key | The key in the Logstash event that will be used as the logs message. | message |
| property_key | They key in Logstash to find the hostname value, that will be used map to lm_property. | hostname |
| timestamp_is_key | If true, LM Logs will use a specified key as the event timestamp value. | false |
| timestamp_key | If timestamp_is_key=true, LM Logs will use this key in the event as the timestamp. Valid timestamp formats are ISO8601 strings or epoch in seconds, milliseconds, and nanoseconds. | logtimestamp |
| include_metadata | If false, metadata will not be included in the logs sent to LM Logs. | true |
Note: See the Logstash documentation for more information about the message_key and property_key values syntax.
Building
Run the following command in Docker to build the Logstash plugin:
docker-compose run jruby gem build logstash-output-lmlogs.gemspecTroubleshooting
If you are not seeing logs in LM Logs:
- Ensure that the resource from which the logs are expected is being monitored.
- If the resource exists, check that the lm_property used for mapping the resource is unique. Log ingestion will not work if lm_property is used for more than one resource.