salt.log.handlers.logstash_mod

Logstash Logging Handler

New in version 0.17.0.

This module provides some Logstash logging handlers.

UDP Logging Handler

For versions of Logstash before 1.2.0:

In the salt configuration file:

logstash_udp_handler:
  host: 127.0.0.1
  port: 9999
  version: 0
  msg_type: logstash

In the Logstash configuration file:

input {
  udp {
    type => "udp-type"
    format => "json_event"
  }
}

For version 1.2.0 of Logstash and newer:

In the salt configuration file:

logstash_udp_handler:
  host: 127.0.0.1
  port: 9999
  version: 1
  msg_type: logstash

In the Logstash configuration file:

input {
  udp {
    port => 9999
    codec => json
  }
}

Please read the UDP input configuration page for additional information.

ZeroMQ Logging Handler

For versions of Logstash before 1.2.0:

In the salt configuration file:

logstash_zmq_handler:
  address: tcp://127.0.0.1:2021
  version: 0

In the Logstash configuration file:

input {
  zeromq {
    type => "zeromq-type"
    mode => "server"
    topology => "pubsub"
    address => "tcp://0.0.0.0:2021"
    charset => "UTF-8"
    format => "json_event"
  }
}

For version 1.2.0 of Logstash and newer:

In the salt configuration file:

logstash_zmq_handler:
  address: tcp://127.0.0.1:2021
  version: 1

In the Logstash configuration file:

input {
  zeromq {
    topology => "pubsub"
    address => "tcp://0.0.0.0:2021"
    codec => json
  }
}

Please read the ZeroMQ input configuration page for additional information.

Important Logstash Setting

One of the most important settings that you should not forget on your Logstash configuration file regarding these logging handlers is format. Both the UDP and ZeroMQ inputs need to have format as json_event which is what we send over the wire.

Log Level

Both the logstash_udp_handler and the logstash_zmq_handler configuration sections accept an additional setting log_level. If not set, the logging level used will be the one defined for log_level in the global configuration file section.

HWM

The high water mark for the ZMQ socket setting. Only applicable for the logstash_zmq_handler.

Inspiration

This work was inspired in pylogstash, python-logstash, canary and the PyZMQ logging handler.