logstash #0

Supports: focal bionic xenial trusty


Logstash is a data pipeline that helps you process logs and other event data from a variety of systems. With 200 plugins and counting, Logstash can connect to a variety of sources and stream data at scale to a central analytics system.


A flexible, open source data collection, enrichment, and transportation pipeline. With connectors to common infrastructure for easy integration, Logstash is designed to efficiently process a growing list of log, event, and unstructured data sources for distribution into a variety of outputs, including Elasticsearch.


This charm makes use of interface:java which means you will need to deploy a compatible JRE along with the Logstash application. This allows the consumer to swap the version of java being used by configuring the system's java installation.

 juju deploy logstash
 juju deploy openjdk
 juju add-relation logstash openjdk

Sending data to Splunk HTTP Event Collector (HEC)

This charm can forward pre-cooked log data to a Splunk HEC.

  juju config logstash \
      splunk_hec_url="<URL>" \
      splunk_hec_token="<HEC Authentication token>"

If the destination HEC uses a TLS certificate which is either self-signed or from an intermediary CA, you will need to also add the CA certificate to this command.

  juju config logstash \
      splunk_hec_url="<URL>" \
      splunk_hec_token="<HEC Authentication token>" \
      splunk_ssl_ca="$(base64 <CA.pem>)"

NB: It is important that this be done from the start, as logstash's http output is not thread-safe, and operator intervention will be necessary to forcibly restart a hung logstash server if the TLS certificate is not properly configured at startup.

This charm is bundled for your convenience.

Typically Logstash is deployed along side its companion products Elasticsearch and Kibana. This suite of applications is known as the ELK stack, and is deployable today:

juju deploy ~elasticsearch-charmers/bundle/elk-stack

Testing the deployment

The applications provide extended status reporting to indicate when they are ready:

juju status

This is particularly useful when combined with watch to track the on-going progress of the deployment:

watch juju status

The message for each unit will provide information about that unit's state. Once they all indicate that they are ready, you can use the provided generate-noise action to test that the applications are working as expected:

juju run-action logstash/0 generate-noise
watch juju show-action-status

Once the action is complete, you can retrieve the results:

juju show-action-output <action-id>

The <action-id> value will be in the juju show-action-status.

Contact information

Need Help?


(int) Port used by beats. Beats are add on modules (search the charmstore for beat)
(string) Index for Elasticsearch
(string) APT repository key
(string) APT repository to fetch logstash from
deb https://artifacts.elastic.co/packages/6.x/apt stable main
(string) Splunk HEC Token string used to authenticate events
(string) Specify a URL to forward events to a Splunk HTTP Event Collector (HEC)
(string) (optional) TLS CA certificate for validating Splunk HEC in base64 format
(int) The port used by legacy logstash agents to emit logs over TCP.
(int) The port used by legacy logstash agents to emit logs over UDP.