Role Detail


Logstash for Linux.
Type Ansible
Minimum Ansible Version 1.8
Installation $ ansible-galaxy install geerlingguy.logstash
Last Commit 2017-05-10 16:32:04 PM UTC
Last Imported 2017-09-18 12:26:12 PM UTC
Version History
Version Release Date
3.0.0 2016-09-12 19:49:07 PM
2.0.1 2016-09-04 04:47:04 AM
2.0.0 2016-04-15 19:51:07 PM
1.2.0 2016-03-02 04:48:04 AM
1.1.0 2015-11-24 18:00:06 PM
1.0.6 2015-11-16 16:08:04 PM
1.0.5 2014-12-17 05:32:05 AM
1.0.4 2014-11-11 16:36:04 PM
1.0.3 2014-08-26 20:06:08 PM
1.0.2 2014-08-26 19:24:07 PM
1.0.1 2014-08-26 18:09:06 PM
1.0.0 2014-08-26 18:08:06 PM
0.9.5 2014-08-25 20:19:08 PM
0.9.4 2014-08-25 18:46:06 PM
0.9.3 2014-08-25 18:00:06 PM
0.9.2 2014-08-22 20:46:08 PM
0.9.1 2014-08-22 20:26:08 PM
0.9.0 2014-08-22 20:13:08 PM
Supported Platforms
Platform Version
Debian etch
Debian jessie
Debian lenny
Debian sid
Debian squeeze
Debian stretch
Debian wheezy
EL 6
EL 7
Ubuntu artful
Ubuntu lucid
Ubuntu maverick
Ubuntu natty
Ubuntu oneiric
Ubuntu precise
Ubuntu quantal
Ubuntu raring
Ubuntu saucy
Ubuntu trusty
Ubuntu utopic
Ubuntu vivid
Ubuntu wily
Ubuntu xenial
Ubuntu yakkety
Ubuntu zesty
Last 10 Imports
Completed Status
2017-09-18 12:26:12 PM UTC SUCCESS
2017-09-18 12:05:12 PM UTC SUCCESS
2017-09-16 17:00:05 PM UTC SUCCESS
2017-09-15 11:23:11 AM UTC SUCCESS
2017-09-15 11:22:11 AM UTC SUCCESS
2017-09-15 11:13:11 AM UTC SUCCESS
2017-08-30 12:36:12 PM UTC SUCCESS
2017-08-25 14:38:02 PM UTC SUCCESS
2017-08-24 17:55:05 PM UTC SUCCESS
2017-08-24 17:32:05 PM UTC SUCCESS

Ansible Role: Logstash

Build Status

An Ansible Role that installs Logstash on RedHat/CentOS Debian/Ubuntu.

Note that this role installs a syslog grok pattern by default; if you want to add more filters, please add them inside the /etc/logstash/conf.d/ directory. As an example, you could create a file named 13-myapp.conf with the appropriate grok filter and restart logstash to start using it. Test your grok regex using the Grok Debugger.


Though other methods are possible, this role is made to work with Elasticsearch as a backend for storing log messages.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

logstash_listen_port_beats: 5044

The port over which Logstash will listen for beats.

  - http://localhost:9200

The hosts where Logstash should ship logs to Elasticsearch.

logstash_ssl_dir: /etc/pki/logstash
logstash_ssl_certificate_file: logstash-forwarder-example.crt
logstash_ssl_key_file: logstash-forwarder-example.key

Local paths to the SSL certificate and key files, which will be copied into the logstash_ssl_dir.

For utmost security, you should use your own valid certificate and keyfile, and update the logstash_ssl_* variables in your playbook to use your certificate.

To generate a self-signed certificate/key pair, you can use use the command:

$ sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout logstash.key -out logstash.crt

Note that filebeat and logstash may not work correctly with self-signed certificates unless you also have the full chain of trust (including the Certificate Authority for your self-signed cert) added on your server. See:

logstash_local_syslog_path: /var/log/syslog
logstash_monitor_local_syslog: true

Whether configuration for local syslog file (defined as logstash_local_syslog_path) should be added to logstash. Set this to false if you are monitoring the local syslog differently, or if you don't care about the local syslog file. Other local logs can be added by your own configuration files placed inside /etc/logstash/conf.d.

logstash_enabled_on_boot: yes

Set this to no if you don't want logstash to run on system startup.

  - logstash-input-beats

A list of Logstash plugins that should be installed.

Other Notes

If you are seeing high CPU usage from one of the logstash processes, and you're using Logstash along with another application running on port 80 on a platform like Ubuntu with upstart, the logstash-web process may be stuck in a loop trying to start on port 80, failing, and trying to start again, due to the restart flag being present in /etc/init/logstash-web.conf. To avoid this problem, either change that line to add a limit to the respawn statement, or set the logstash-web service to enabled=no in your playbook, e.g.:

- name: Ensure logstash-web process is stopped and disabled.
  service: name=logstash-web state=stopped enabled=no

Example Playbook

- hosts: search
    - geerlingguy.elasticsearch
    - geerlingguy.logstash



Author Information

This role was created in 2014 by Jeff Geerling, author of Ansible for DevOps.