This short guide will look at the TCP input for Logstash. TCP is a stream protocol with which data can be sent over a network. It forms part of the TCP/IP protocol suite that forms the core of network communication on the internet. This input will allow you to set Logstash up as either a TCP server or a TCP client.

Quick Info

Links: Source | Documentation
Version: 1.4.2
Requirements:

  • A TCP server if you’re planning on running Logstash as a TCP client.
  • A TCP client if you’re planning on running Logstash as a TCP server.

As in some of the other Logstash inputs, a single line is interpreted as a single event in logstash. Use the Logstash’s filters to break it up into more fields or combine multiple lines into one.

The short version – Server

To set up Logstash as a TCP server all you need to specify is the port to listen on:

# Bare minimum
input {
  tcp {
    port => 9000
  }
}

Logstash will now run as a TCP server, listening on port 9000 of all of the machines interfaces (0.0.0.0).

The short version – Client

To set up Logstash to connect to a TCP server as a client, you need to specify the mode, host and the port to connect to:

# Bare minimum
input {
  tcp {
    mode => "client"
    host => "logstash.eagerelk.com"
    port => 9000
  }
}

Logstash will now connect to the TCP server listening on port 9000 of logstash.eagerelk.com.

The longer version

The TCP input allows some customization of the TCP connections it manages. You can use the data_timeout to specify how long a connection can be idle before it is closed, and use the ssl_ parameters to set up encrypted connections. These settings apply to both the client and server mode.

Timeout idle connections

Use the data_timeout parameter to kill connections that have been idle for a minute or longer.

# Kill connections idle for 60 seconds.
input {
  tcp {
    # Remember to set this up as a client or a server
    data_timeout => 60 # Set it to -1 (the default) to never time out
  }
}

Secure Communications

You can set up secure communications with the TCP input using SSL:

# Secure Communications
input {
  tcp {
    # Remember to set this up as a client or a server
    ssl_enable => true # This needs to be true for the other ssl parameters to be considered
    ssl_verify => false # Don't validate the cert against the CA. Useful for self signed certs
    ssl_cacert => "/etc/ssl/my_ca.crt" # System CA's are automatically included
    ssl_cert => "/etc/ssl/my_cert.crt" # Your SSL Cert
    ssl_key => "/etc/ssl/my_key.key" # Your SSL Key
    ssl_key_passphrase => "My supersecret" # The passphrase for the SSL Key
  }
}

All the options

data_timeout – Number – The time in seconds a connection can be idle before it is disconnects. Set to -1, which is the default, to never disconnect.

mode – String – The input can run as a server or a client. Set it using this parameter. It defaults to server.

host – String – The address your TCP server should listen on, or the TCP client should connect to. Defaults to 0.0.0.0.

port – Numeric – The port your syslog server should listen on, or the TCP client should connect to. There is no default.

ssl_enable – Boolean – Enable or disable SSL communication on the input. It needs to be enabled for the other ssl parameters to be considered. Defaults to false.

ssl_verify – Boolean – Specify whether or not the SSL certificates should be verified against the Certificate Authority. Defaults to false.

ssl_cacert – Path (String) – The path to a custom CA Cert you want to add. The system CA’s are added automatically.

ssl_cert – Path (String) – The path to the SSL certificate the connection should use.

ssl_key – Path (String) – The path to the SSL key the connection should use.

ssl_key_passphrase – Password (String) – The password for the key.


Ease the Logstash config pain with the Logstash Config Guide. Buy it now!

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This