:plugin: tcp
:type: input
:default_codec: line
///////////////////////////////////////////
START - GENERATED VARIABLES, DO NOT EDIT!
///////////////////////////////////////////
:version: %VERSION%
:release_date: %RELEASE_DATE%
:changelog_url: %CHANGELOG_URL%
:include_path: ../../../../logstash/docs/include
///////////////////////////////////////////
END - GENERATED VARIABLES, DO NOT EDIT!
///////////////////////////////////////////
[id="plugins-{type}s-{plugin}"]
=== Tcp input plugin
include::{include_path}/plugin_header.asciidoc[]
==== Description
Read events over a TCP socket.
Like stdin and file inputs, each event is assumed to be one line of text.
Can either accept connections from clients or connect to a server,
depending on `mode`.
===== Accepting log4j2 logs
Log4j2 can send JSON over a socket, and we can use that combined with our tcp
input to accept the logs.
First, we need to configure your application to send logs in JSON over a
socket. The following log4j2.xml accomplishes this task.
Note, you will want to change the `host` and `port` settings in this
configuration to match your needs.
To accept this in Logstash, you will want tcp input and a date filter:
input {
tcp {
port => 12345
codec => json
}
}
and add a date filter to take log4j2's `timeMillis` field and use it as the
event timestamp
filter {
date {
match => [ "timeMillis", "UNIX_MS" ]
}
}
[id="plugins-{type}s-{plugin}-ecs_metadata"]
==== Event Metadata and the Elastic Common Schema (ECS)
In addition to decoding the events, this input will add metadata about the TCP connection itself to each event.
This can be helpful when applications are configured to send events directly to this input's TCP listener without including information about themselves.
Historically, this metadata was added to a variety of non-standard top-level fields, which had the potential to create confusion and schema conflicts downstream.
With ECS compatibility mode, we can ensure a pipeline still has access to this metadata throughout the event's lifecycle without polluting the top-level namespace.
[cols="3,7,5"]
|=======================================================================
| Metadata Group | ecs: `v1`, `v8` | ecs: `disabled`
.3+|Source Metadata from the TCP connection
on which events are being received, including
the sender's name, ip, and outbound port. l|[@metadata][input][tcp][source][name] l|[host]
l|[@metadata][input][tcp][source][ip] l|[@metadata][ip_address]
l|[@metadata][input][tcp][source][port] l|[port]
.2+|Proxy Metadata from a proxied TCP connection.
Available when receiving events by proxy and
`proxy_protocol => true` l|[@metadata][input][tcp][proxy][ip] l|[proxy_host]
l|[@metadata][input][tcp][proxy][port] l|[proxy_port]
.1+|SSL Subject Metadata from a secured TCP
connection. Available when `ssl_enabled => true`
AND `ssl_client_authentication => 'optional' or 'required'` l|[@metadata][input][tcp][ssl][subject] l|[sslsubject]
|=======================================================================
For example, the Elastic Common Schema reserves the https://www.elastic.co/guide/en/ecs/current/ecs-host.html[top-level `host` field] for information about the host on which the event happened.
If an event is missing this metadata, it can be copied into place from the source TCP connection metadata that has been added to the event:
[source,txt]
-----
filter {
if [@metadata][input][tcp][source] and ![host] {
mutate {
copy => {
"[@metadata][input][tcp][source][name]" => "[host][name]"
"[@metadata][input][tcp][source][ip]" => "[host][ip]"
}
}
}
}
-----
[id="plugins-{type}s-{plugin}-options"]
==== Tcp Input Configuration Options
This plugin supports the following configuration options plus the <> described later.
[cols="<,<,<",options="header",]
|=======================================================================
|Setting |Input type|Required
| <> |<>|No
| <> | <>|No
| <> |<>|No
| <> |<>, one of `["server", "client"]`|No
| <> |<>|Yes
| <> |<>|No
| <> |a valid filesystem path|__Deprecated__
| <> |a valid filesystem path|No
| <> |<>|No
| <> |<>|No
| <> |<>, one of `["none", "optional", "required"]`|No
| <> |<>|__Deprecated__
| <> |<>|No
| <> |<>|No
| <> |a valid filesystem path|No
| <> |<>|No
| <> |<>|No
| <> |<>, one of `["full", "none"]`|No
| <> |<>|__Deprecated__
| <> |<>|No
|=======================================================================
Also see <> for a list of options supported by all
input plugins.
[id="plugins-{type}s-{plugin}-dns_reverse_lookup_enabled"]
===== `dns_reverse_lookup_enabled`
* Value type is <>
* Default value is `true`
It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
the address metadata that is added to events will contain the source address as-specified
at the TCP layer and IPs will not be resolved to hostnames.
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
===== `ecs_compatibility`
* Value type is <>
* Supported values are:
** `disabled`: unstructured connection metadata added at root level
** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
* Default value depends on which version of Logstash is running:
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
** Otherwise, the default value is `disabled`.
Controls this plugin's compatibility with the https://www.elastic.co/guide/en/ecs/current/index.html[Elastic Common Schema (ECS)].
The value of this setting affects the <> on events.
[id="plugins-{type}s-{plugin}-host"]
===== `host`
* Value type is <>
* Default value is `"0.0.0.0"`
When mode is `server`, the address to listen on.
When mode is `client`, the address to connect to.
[id="plugins-{type}s-{plugin}-mode"]
===== `mode`
* Value can be any of: `server`, `client`
* Default value is `"server"`
Mode to operate in. `server` listens for client connections,
`client` connects to a server.
[id="plugins-{type}s-{plugin}-port"]
===== `port`
* This is a required setting.
* Value type is <>
* There is no default value for this setting.
When mode is `server`, the port to listen on.
When mode is `client`, the port to connect to.
[id="plugins-{type}s-{plugin}-proxy_protocol"]
===== `proxy_protocol`
* Value type is <>
* Default value is `false`
Proxy protocol support, only v1 is supported at this time
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
[id="plugins-{type}s-{plugin}-ssl_cert"]
===== `ssl_cert`
deprecated[6.4.0, Replaced by <>]
* Value type is <>
* There is no default value for this setting.
Path to certificate in PEM format. This certificate will be presented
to the connecting clients.
[id="plugins-{type}s-{plugin}-ssl_certificate"]
===== `ssl_certificate`
* Value type is <>
* There is no default value for this setting.
Path to certificate in PEM format. This certificate will be presented
to the other part of the TLS connection.
[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
===== `ssl_certificate_authorities`
* Value type is <>
* Default value is `[]`
Validate client certificate or certificate chain against these authorities.
You can define multiple files or paths. All the certificates will be read and added to the trust store.
[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
===== `ssl_cipher_suites`
* Value type is <>
* Default value includes _all_ cipher suites enabled by the JDK and depends on JDK configuration
Supported cipher suites vary depending on Java version used, and entries look like `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`.
For more information, see Oracle’s https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[JDK SunJSSE provider documentation] and
the table of supported https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names[Java cipher suite names].
NOTE: To check the supported cipher suites locally run the following script: `$LS_HOME/bin/ruby -e 'p javax.net.ssl.SSLServerSocketFactory.getDefault.getSupportedCipherSuites'`.
[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
===== `ssl_client_authentication`
* Value can be any of: `none`, `optional`, `required`
* Default value is `required`
Controls the server's behavior in regard to requesting a certificate from client connections:
`none` disables the client authentication. `required` forces a client to present a certificate, while `optional` requests a client certificate
but the client is not required to present one.
When mutual TLS is enabled (`optional` or `required`), the certificate presented by the client must be signed by trusted
<> (CAs).
Please note that the server does not validate the client certificate CN (Common Name) or SAN (Subject Alternative Name).
NOTE: This setting can be used only if <> is `server` and <> is set.
[id="plugins-{type}s-{plugin}-ssl_enable"]
===== `ssl_enable`
deprecated[6.4.0, Replaced by <>]
* Value type is <>
* Default value is `false`
Enable SSL (must be set for other `ssl_` options to take effect).
[id="plugins-{type}s-{plugin}-ssl_enabled"]
===== `ssl_enabled`
* Value type is <>
* Default value is `false`
Enable SSL (must be set for other `ssl_` options to take effect).
[id="plugins-{type}s-{plugin}-ssl_extra_chain_certs"]
===== `ssl_extra_chain_certs`
* Value type is <>
* Default value is `[]`
An Array of paths to extra X509 certificates.
These are used together with the certificate to construct the certificate chain
presented to the client.
[id="plugins-{type}s-{plugin}-ssl_key"]
===== `ssl_key`
* Value type is <>
* There is no default value for this setting.
The path to the private key corresponding to the specified certificate (PEM format).
[id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
===== `ssl_key_passphrase`
* Value type is <>
* Default value is `nil`
SSL key passphrase for the private key.
[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
===== `ssl_supported_protocols`
* Value type is <>
* Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
* Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
`'TLSv1.1'` is not considered secure and is only provided for legacy applications.
List of allowed SSL/TLS versions to use when establishing a secure connection.
NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
===== `ssl_verification_mode`
* Value can be any of: `full`, `none`
* Default value is `full`
Defines how to verify the certificates presented by another party in the TLS connection:
`full` validates that the server certificate has an issue date that's within
the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and
has a hostname or IP address that matches the names within the certificate.
`none` performs no certificate validation.
This setting can be used only if <> is `client`.
WARNING: Setting certificate verification to `none` disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[id="plugins-{type}s-{plugin}-ssl_verify"]
===== `ssl_verify`
deprecated[6.4.0, Replaced by <> and <>]
* Value type is <>
* Default value is `true`
Verify the identity of the other end of the SSL connection against the CA.
For input, sets the field `sslsubject` to that of the client certificate.
[id="plugins-{type}s-{plugin}-tcp_keep_alive"]
===== `tcp_keep_alive`
* Value type is <>
* Default value is `false`
Instruct the socket to use TCP keep alive. If it's `true` then the underlying socket
will use the OS defaults settings for keep alive. If it's `false` it doesn't configure any
keep alive setting for the underlying socket.
[id="plugins-{type}s-{plugin}-common-options"]
include::{include_path}/{type}.asciidoc[]
:default_codec!: