:integration: logstash :plugin: logstash :type: input :no_codec: /////////////////////////////////////////// START - GENERATED VARIABLES, DO NOT EDIT! /////////////////////////////////////////// :version: %VERSION% :release_date: %RELEASE_DATE% :changelog_url: %CHANGELOG_URL% :include_path: ../../../../logstash/docs/include /////////////////////////////////////////// END - GENERATED VARIABLES, DO NOT EDIT! /////////////////////////////////////////// [id="plugins-{type}s-{plugin}"] === Logstash input plugin include::{include_path}/plugin_header-integration.asciidoc[] ==== Description Listen for events that are sent by a {logstash-ref}/plugins-outputs-logstash.html[Logstash output plugin] in a pipeline that may be in another process or on another host. The upstream output must have a TCP route to the port (defaults to 9800) on an interface that this plugin is bound to. NOTE: Sending events to this input by _any_ means other than `plugins-outputs-logstash` is neither advised nor supported. We will maintain cross-compatibility with any two supported versions of output/input pair and reserve the right to change details such as protocol and encoding. [id="plugins-{type}s-{plugin}-minimum-config"] ===== Minimum Configuration [cols="3a,2a"] |======================================================================================================================= |SSL Enabled |SSL Disabled | [source] ---- input { logstash { ssl_keystore_path => "/path/to/logstash.p12" ssl_keystore_password => "${PASS}" } } ---- | [source] ---- input { logstash { ssl_enabled => false } } ---- |======================================================================================================================= [id="plugins-{type}s-{plugin}-config-binding"] ===== Configuration Concepts This input plugin needs to be configured to bind to a TCP <>, and can be constrained to bind to a particular interface by providing the IP to <>. [id="plugins-{type}s-{plugin}-config-ssl-identity"] ===== Security: SSL Identity Unless SSL is disabled, this plugin needs to be configured with identity material: * JKS- or PKCS12-formatted Keystore (see <>) * PKCS8-formatted Certificate/Key pair (see <>) [id="plugins-{type}s-{plugin}-config-ssl-trust"] ===== Security: SSL Trust When communicating over SSL, this plugin can be configured to either request or require that connecting clients present their own identity claims with <>. Certificates that are presented by clients are validated by default using the system trust store to ensure that they are currently-valid and trusted, and that the client can prove possession of its associated private key. You can provide an _alternate_ source of trust with: * A PEM-formatted list of trusted certificate authorities (see <>) NOTE: Client-certificate verification does _not_ verify identity claims on the presented certificate, such as whether the certificate includes a Subject Alt Name matching the IP address from which the client is connecting. [id="plugins-{type}s-{plugin}-config-credentials"] ===== Security: Credentials You can also configure this plugin to require a specific username/password be provided by configuring <> and <>. Doing so requires connecting `logstash-output` plugin clients to provide matching `username` and `password`. NOTE: when SSL is disabled, data and credentials will be received in clear-text. [id="plugins-{type}s-{plugin}-options"] ==== Logstash Input Configuration Options This plugin supports the following configuration options plus the <> described later. [cols="<,<,<",options="header",] |======================================================================= |Setting |Input type |Required | <> |<> |No | <> |<>|No | <> |<> |No | <> | <>|No | <> |<>|No | <> | <>, one of `["none", "optional", "required"]`|No | <> |<>|No | <> | <>|No | <> | <>|No | <> | <>|No | <> | <>|No | <> |<>|No |======================================================================= Also see <> for a list of options supported by all input plugins.   [id="plugins-{type}s-{plugin}-host"] ===== `host` * Value type is a <> ip address * Default value is `0.0.0.0` (all interfaces) Specify which interface to listen on by providing its ip address. By default, this input listens on all available interfaces. [id="plugins-{type}s-{plugin}-password"] ===== `password` * Value type is <> * There is no default value for this setting. Password for password-based authentication. Requires <>. [id="plugins-{type}s-{plugin}-port"] ===== `port` * Value type is a <> port * Default value is 9800 Specify which port to listen on. [id="plugins-{type}s-{plugin}-ssl_certificate"] ===== `ssl_certificate` * Value type is <> * There is no default value for this setting. * When present, <> and <> are also required. * Cannot be combined with configurations that disable SSL. Path to a PEM-encoded certificate or certificate chain with which to identify this plugin to connecting clients. The certificate _SHOULD_ include identity claims about the ip address or hostname that clients use to establish a connection. [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"] ===== `ssl_certificate_authorities` * Value type is a list of <>s * There is no default value for this setting. * Cannot be combined with configurations that disable SSL. * Cannot be combined with < none+`>>. One or more PEM-encoded files defining certificate authorities for use in client authentication. This setting can be used to _override_ the system trust store for verifying the SSL certificate presented by clients. [id="plugins-{type}s-{plugin}-ssl_client_authentication"] ===== `ssl_client_authentication` * Value can be any of: ** `none`: do not request client's certificate, or validate certificates that are presented ** `optional`: request client's certificate, and validate it against our trust authorities _if-and-only-if_ it is presented ** `required`: require a valid certificate from the client that is signed by a trusted certificate authority * Default value is `"none"` By default the server doesn't do any client authentication. This means that connections from clients are _private_ when SSL is enabled, but that this input will allow SSL connections from _any_ client. If you wish to configure this plugin to reject connections from untrusted hosts, you will need to configure this plugin to authenticate clients, and may also need to configure its <>. [id="plugins-{type}s-{plugin}-ssl_enabled"] ===== `ssl_enabled` * Value type is <> * Default value is `true` SSL is enabled by default, which requires configuring this plugin to present its <>. You can disable SSL with `+ssl_enabled => false+`. When disabled, setting any `ssl_*` configuration causes configuration failure. [id="plugins-{type}s-{plugin}-ssl_key"] ===== `ssl_key` * Value type is <> * There is no default value for this setting. * Required when connection identity is configured with <>. * Cannot be combined with configurations that disable SSL. A path to a PEM-encoded _encrypted_ PKCS8 SSL certificate key. [id="plugins-{type}s-{plugin}-ssl_keystore_password"] ===== `ssl_keystore_password` * Value type is <> * There is no default value for this setting. * Required when connection identity is configured with <>. * Cannot be combined with configurations that disable SSL. Password for the <> [id="plugins-{type}s-{plugin}-ssl_keystore_path"] ===== `ssl_keystore_path` * Value type is <> * There is no default value for this setting. * When present, <> is also required. * Cannot be combined with configurations that disable SSL. A path to a JKS- or PKCS12-formatted keystore with which to identify this plugin to {es}. [id="plugins-{type}s-{plugin}-ssl_key_passphrase"] ===== `ssl_key_passphrase` * Value type is <> * There is no default value for this setting. * Required when connection identity is configured with <>. * Cannot be combined with configurations that disable SSL. A password or passphrase of the <>. [id="plugins-{type}s-{plugin}-username"] ===== `username` * Value type is <> * There is no default value for this setting. Username for password-based authentication. When this input plugin is configured with a `username`, it also requires a `password`, and any upstream `logstash-output` plugin must also be configured with a matching `username`/`password` pair. NOTE: when SSL is disabled, credentials will be transmitted in clear-text. [id="plugins-{type}s-{plugin}-common-options"] include::{include_path}/{type}.asciidoc[] :default_codec!: