home docs about wiki bugs

gelf

Status: beta

GELF output. This is most useful if you want to use logstash to output events to graylog2.

More information at http://www.graylog2.org/about/gelf

Synopsis

This is what it might look like in your config file: 
output {
  gelf {
    chunksize => ... # number (optional), default: 1420
    custom_fields => ... # hash (optional), default: {}
    facility => ... # array (optional), default: ["%{facility}", "logstash-gelf"]
    host => ... # string (required)
    level => ... # array (optional), default: ["%{severity}", "INFO"]
    port => ... # number (optional), default: 12201
    sender => ... # string (optional), default: "%{@source_host}"
    ship_metadata => ... # boolean (optional), default: true
    tags => ... # array (optional), default: []
    type => ... # string (optional), default: ""
  }
}

Details

chunksize

  • Value type is number
  • Default value is 1420

The GELF chunksize. You usually don't need to change this.

custom_fields

  • Value type is hash
  • Default value is {}

The GELF custom field mappings. GELF supports arbitrary attributes as custom fields. This exposes that. Exclude the _ portion of the field name e.g. custom_fields => ['foo_field', 'some_value'] setsfoofield=some_value`

facility

  • Value type is array
  • Default value is ["%{facility}", "logstash-gelf"]

The GELF facility. Dynamic values like %{foo} are permitted here; this is useful if you need to use a value from the event as the facility name.

host (required setting)

  • Value type is string
  • There is no default value for this setting.

graylog2 server address

level

  • Value type is array
  • Default value is ["%{severity}", "INFO"]

The GELF message level. Dynamic values like %{level} are permitted here; useful if you want to parse the 'log level' from an event and use that as the gelf level/severity.

Values here can be integers [0..7] inclusive or any of "debug", "info", "warn", "error", "fatal", "unknown" (case insensitive). Single-character versions of these are also valid, "d", "i", "w", "e", "f", "u"

port

  • Value type is number
  • Default value is 12201

graylog2 server port

sender

  • Value type is string
  • Default value is "%{@source_host}"

Allow overriding of the gelf 'sender' field. This is useful if you want to use something other than the event's source host as the "sender" of an event. A common case for this is using the application name instead of the hostname.

ship_metadata

  • Value type is boolean
  • Default value is true

Ship metadata within event object?

tags

  • Value type is array
  • Default value is []

Only handle events with all of these tags. Note that if you specify a type, the event must also match that type. Optional.

type

  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this output will only act on messages with the same type. See any input plugin's "type" attribute for more. Optional.

This is documentation from lib/logstash/outputs/gelf.rb

Hello! I'm your friendly footer. If you're actually reading this, I'm impressed.