• Plugin version: v7.0.0
• Released on: 2024-12-02
• Changelog

For other versions, see theVersioned plugin docs.

For questions about the plugin, open a topic in theDiscuss forums. For bugs or feature requests, open an issue inGithub. For the list of Elastic supported plugins, please consult theElastic Support Matrix.

This input plugin enables Logstash to receive events from the Elastic Agent framework.

The following example shows how to configure Logstash to listen on port 5044 for incoming Elastic Agent connections and to index into Elasticsearch.

input {  elastic_agent {    port => 5044  }}output {  elasticsearch {    hosts => ["http://localhost:9200"]    data_stream => "true"  }}

Events indexed into Elasticsearch with the Logstash configuration shown here will be similar to events directly indexed by Elastic Agent into Elasticsearch.

This plugin uses "off-heap" direct memory in addition to heap memory. By default, a JVM’s off-heap direct memory limit is the same as the heap size. For example, setting-Xmx10G without setting the direct memory limit will allocate10GB for heap and an additional10GB for direct memory, for a total of20GB allocated. You can set the amount of direct memory with-XX:MaxDirectMemorySize inLogstash JVM Settings. Consider setting direct memory to half of the heap size. Setting direct memory too low decreases the performance of ingestion.

When decoding Elastic Agent events, this plugin enriches each event with metadata about the event’s source, making this information available during further processing. You can use theenrich option to activate or deactivate individual enrichment categories.

The location of these enrichment fields depends on whetherECS compatibility mode is enabled:

• When ECS compatibility isenabled, enrichment fields are added in an ECS-compatible structure.
• When ECS compatibility isdisabled, enrichment fields are added in a way that is backward-compatible with this plugin, but is known to clash with the Elastic Common Schema.

This plugin supports the following configuration options plus theCommon options described later.

Also seeCommon options for a list of options supported by all input plugins.

• Value type isboolean
• Default value isfalse

Flag to determine whether to addhost field to event using the value supplied by the Elastic Agent in thehostname field.

• Value type isnumber
• Default value is60

Close Idle clients after X seconds of inactivity.

• Value type isstring

• Supported values are:

  • disabled: unstructured connection metadata added at root level
  • v1: structured connection metadata added under ECS v1 compliant namespaces
  • v8: structured connection metadata added under ECS v8 compliant namespaces

• Default value depends on which version of Logstash is running:

  • When Logstash provides apipeline.ecs_compatibility setting, its value is used as the default
  • Otherwise, the default value isdisabled.

Refer toECS mapping for detailed information.

• Value type isstring

  • Anarray can also be provided

  • Configures which enrichments are applied to each event

  • Default value is[codec_metadata, source_metadata] that may be extended in future versions of this plugin to include additional enrichments.

  • Supported values are:

    Enrichment	Description
    codec_metadata	Information about how the codec transformed a sequence of bytes into this Event, such aswhich codec was used. Also, if no codec is explicitly specified,excludingcodec_metadata fromenrich will disableecs_compatibility for this plugin.
    source_metadata	Information about thesource of the event, such as the IP address of the inbound connection this input received the event from
    ssl_peer_metadata	Detailed information about theSSL peer we received the event from, such as identity information from the SSL client certificate that was presented when establishing a connection to this input
    all	alias to includeall available enrichments (including additional enrichments introduced in future versions of this plugin)
    none	alias toexclude all available enrichments. Note that,explicitly defining codec with this option will not disable theecs_compatibility, instead it relies on pipeline or codececs_compatibility configuration.

Example:

This configuration disablesall enrichments:

input {  beats {    port => 5044    enrich => none  }}

Or, to explicitly enableonlysource_metadata andssl_peer_metadata (disabling all others):

input {  beats {    port => 5044    enrich => [source_metadata, ssl_peer_metadata]  }}

• Value type isnumber
• Defaults to 0.

When setting0, the actual default isavailable_processors * 2

This is an expert-level setting, and generally should not need to be set Elastic Agent plugin is implemented based on a non-blocking mechanism, requiring a number of event loop and executor threads. The event loop threads are responsible to communicate with clients (accept incoming connections, enqueue/dequeue tasks and respond) and executor threads handle tasks. This configuration intends to limit or increase the number of threads to be created for the event loop. Seeexecutor_threads configuration if you need to set executor threads count.

• Value type isnumber
• Default value is equal to the number of CPU cores (1 executor thread per CPU core).

The number of threads to be used to process incoming Elastic Agent requests. By default, the Elastic Agent input creates a number of threads equal to the number of CPU cores. These threads handle incoming connections, reading from established sockets, and executing most of the tasks related to network connection management. Parsing the Lumberjack protocol is offloaded to a dedicated thread pool.

Generally you don’t need to touch this setting. In case you are sending very large events and observing "OutOfDirectMemory" exceptions, you may want to reduce this number to half or 1/4 of the CPU cores. This change reduces the number of threads decompressing batches of data into direct memory. However, this will only be a mitigating tweak, as the proper solution may require resizing your Logstash deployment, either by increasing number of Logstash nodes or increasing the JVM’s Direct Memory.

• Value type isstring
• Default value is"0.0.0.0"

The IP address to listen on.

• Value type isboolean
• Default value istrue

• This is a required setting.
• Value type isnumber
• There is no default value for this setting.

The port to listen on.

• Value type ispath
• There is no default value for this setting.

SSL certificate to use.

• Value type isarray
• Default value is[]

Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure thessl_client_authentication tooptional orrequired to enable the verification.

• Value type isarray
• Default value is['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']

The list of cipher suites to use, listed by priorities. This default list applies for OpenJDK 11.0.14 and higher. For older JDK versions, the default list includes only suites supported by that version. For example, the ChaCha20 family of ciphers is not supported in older versions.

• Value can be any of:none,optional,required
• Default value is"none"

Controls the server’s behavior in regard to requesting a certificate from client connections:required forces a client to present a certificate, whileoptional requests a client certificate but the client is not required to present one. Defaults tonone, which disables the client authentication.

When mutual TLS is enabled (required oroptional), the certificate presented by the client must be signed by trustedssl_certificate_authorities (CAs). Please note that the server does not validate the client certificate CN (Common Name) or SAN (Subject Alternative Name).

• Value type isboolean
• Default value isfalse

Events are by default sent in plain text. You can enable encryption by settingssl_enabled to true and configuring thessl_certificate andssl_key options.

• Value type isnumber
• Default value is10000

Time in milliseconds for an incomplete ssl handshake to timeout

• Value type ispath
• There is no default value for this setting.

SSL key to use. This key must be in the PKCS8 format and PEM encoded. You can use theopenssl pkcs8 command to complete the conversion. For example, the command to convert a PEM encoded PKCS1 private key to a PEM encoded, non-encrypted PKCS8 key is:

openssl pkcs8 -inform PEM -in path/to/logstash.key -topk8 -nocrypt -outform PEM -out path/to/logstash.pkcs8.key

• Value type ispassword
• There is no default value for this setting.

SSL key passphrase to use.

• Value type isarray
• Allowed values are:'TLSv1.1','TLSv1.2','TLSv1.3'
• Default depends on the JDK being used. With up-to-date Logstash, the default is['TLSv1.2', 'TLSv1.3'].'TLSv1.1' is not considered secure and is only provided for legacy applications.

List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.

For Java 8'TLSv1.3' is supported only since8u262 (AdoptOpenJDK), but requires that you set theLS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

These configuration options are supported by all input plugins:

• Value type ishash
• Default value is{}

Add a field to an event

• Value type iscodec
• Default value is"plain"

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

• Value type isboolean
• Default value istrue

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

• Value type isstring
• There is no default value for this setting.

Add a uniqueID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 elastic_agent inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {  elastic_agent {    id => "my_plugin_id"  }}

• Value type isarray
• There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

• Value type isstring
• There is no default value for this setting.

Add atype field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.