This short guide will look at the TCP input for Logstash. TCP is a stream protocol with which data can be sent over a network. It forms part of the TCP/IP protocol suite that forms the core of network communication on the internet. This input will allow you to set Logstash up as either a TCP server or a TCP client.
Quick Info
Links: Source | Documentation
Version: 1.4.2
Requirements:
- A TCP server if you’re planning on running Logstash as a TCP client.
- A TCP client if you’re planning on running Logstash as a TCP server.
As in some of the other Logstash inputs, a single line is interpreted as a single event in logstash. Use the Logstash’s filters to break it up into more fields or combine multiple lines into one.
The short version – Server
To set up Logstash as a TCP server all you need to specify is the port to listen on:
# Bare minimum input { tcp { port => 9000 } }
Logstash will now run as a TCP server, listening on port 9000 of all of the machines interfaces (0.0.0.0
).
The short version – Client
To set up Logstash to connect to a TCP server as a client, you need to specify the mode, host and the port to connect to:
# Bare minimum input { tcp { mode => "client" host => "logstash.eagerelk.com" port => 9000 } }
Logstash will now connect to the TCP server listening on port 9000 of logstash.eagerelk.com.
The longer version
The TCP input allows some customization of the TCP connections it manages. You can use the data_timeout
to specify how long a connection can be idle before it is closed, and use the ssl_
parameters to set up encrypted connections. These settings apply to both the client and server mode.
Timeout idle connections
Use the data_timeout
parameter to kill connections that have been idle for a minute or longer.
# Kill connections idle for 60 seconds. input { tcp { # Remember to set this up as a client or a server data_timeout => 60 # Set it to -1 (the default) to never time out } }
Secure Communications
You can set up secure communications with the TCP input using SSL:
# Secure Communications input { tcp { # Remember to set this up as a client or a server ssl_enable => true # This needs to be true for the other ssl parameters to be considered ssl_verify => false # Don't validate the cert against the CA. Useful for self signed certs ssl_cacert => "/etc/ssl/my_ca.crt" # System CA's are automatically included ssl_cert => "/etc/ssl/my_cert.crt" # Your SSL Cert ssl_key => "/etc/ssl/my_key.key" # Your SSL Key ssl_key_passphrase => "My supersecret" # The passphrase for the SSL Key } }
All the options
data_timeout
– Number – The time in seconds a connection can be idle before it is disconnects. Set to -1, which is the default, to never disconnect.
mode
– String – The input can run as a server or a client. Set it using this parameter. It defaults to server
.
host
– String – The address your TCP server should listen on, or the TCP client should connect to. Defaults to 0.0.0.0
.
port
– Numeric – The port your syslog server should listen on, or the TCP client should connect to. There is no default.
ssl_enable
– Boolean – Enable or disable SSL communication on the input. It needs to be enabled for the other ssl parameters to be considered. Defaults to false
.
ssl_verify
– Boolean – Specify whether or not the SSL certificates should be verified against the Certificate Authority. Defaults to false
.
ssl_cacert
– Path (String) – The path to a custom CA Cert you want to add. The system CA’s are added automatically.
ssl_cert
– Path (String) – The path to the SSL certificate the connection should use.
ssl_key
– Path (String) – The path to the SSL key the connection should use.
ssl_key_passphrase
– Password (String) – The password for the key.
Ease the Logstash config pain with the Logstash Config Guide. Buy it now!

Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.