All Products
Search
Document Center

Simple Log Service:Collect data from Beats and Logstash

Last Updated:Jun 10, 2026

Create a Logtail collection configuration in the Simple Log Service console to collect data from Beats and Logstash by using the Lumberjack protocol.

Prerequisites

  • Logtail is installed on your server. Logtail 0.16.9 or later is required for Linux. Logtail 1.0.0.8 or later is required for Windows. Install Logtail on a Linux server or Install Logtail on a Windows server.

  • Data has been collected using Logstash or Beats.

    • To collect data using Logstash, see Logstash-Lumberjack-Output.

    • To collect data using Beats software, see Beats-Lumberjack-Output.

      The following example uses PacketBeat to collect local network packets and the Logtail Lumberjack plugin to upload data to Simple Log Service. The PacketBeat output is configured for Logstash:

      output.logstash:
        hosts: ["127.0.0.1:5044"]

Background information

Logstash and Beats software (MetricBeat, PacketBeat, Winlogbeat, Auditbeat, Filebeat, and Heartbeat) support the Lumberjack protocol. Logtail uses this protocol to upload data from Logstash and Beats to Simple Log Service.

Note
  • Multiple Lumberjack plugins can run on the same Logtail instance, but each must listen on a different port.

  • The Lumberjack plugin supports SSL, which is required for uploading data from Logstash.

Procedure

  1. Log on to the Simple Log Service console.

  2. On the right-side of the page, click Import Data, then select Custom Data Plug-in.

  3. Select the destination project and Logstore, and then click Next.

  4. In the Machine Group Configurations step, configure a machine group.

    1. Configure the Scenario and Installation Environment parameters as needed.

      Important

      You must configure the Scenario and Installation Environment parameters regardless of whether a machine group is available. The parameter settings affect subsequent configurations.

    2. Ensure that a machine group is displayed in the Applied Server Groups section, and click Next.

      Machine group available

      Select a machine group from the Source Machine Group section.

      image

      No machine group available

      Click Create Machine Group. In the Create Machine Group panel, configure the parameters. You can set the Machine Group Identifier parameter to IP Address or Custom Identifier. For more information, see Create a custom identifier-based machine group or Create an IP address-based machine group.

      Important

      If you apply a machine group immediately after you create the machine group, the heartbeat status of the machine group may be FAIL. This issue occurs because the machine group is not connected to Simple Log Service. To resolve this issue, you can click Automatic Retry. If the issue persists, see What do I do if no heartbeat connections are detected on Logtail?

  5. On the Data Source Configuration tab, set Configuration Name and Plugin Configuration, and then click Next.

    • inputs is required and is used to configure the data source settings for the Logtail configuration.

      Important

      You can specify only one type of data source in inputs.

    • processors is optional and is used to configure the data processing settings for the Logtail configuration to parse data. You can specify one or more processing methods.

      If your logs cannot be parsed based only on the setting of inputs, you can configure processors in the Plug-in Configuration field to add plugins for data processing. For example, extract fields, extract log time, mask data, and filter logs. For more information, see Logtail plugins for data processing.

    Beats and Logstash output data in JSON format. Use the processor_anchor plugin to parse JSON data.

    {
      "inputs": [
        {
          "detail": {
            "BindAddress": "0.0.0.0:5044"
          },
          "type": "service_lumberjack"
        }
      ],
      "processors": [
        {
          "detail": {
            "Anchors": [
              {
                "ExpondJson": true,
                "FieldType": "json",
                "Start": "",
                "Stop": ""
              }
            ],
            "SourceKey": "content"
          },
          "type": "processor_anchor"
        }
      ]
    }
                            

    Parameter

    Type

    Required

    Description

    type

    string

    Yes

    Data source type. Set to service_lumberjack.

    BindAddress

    string

    No

    Listening address for the Lumberjack protocol. Default: 127.0.0.1:5044. Set to 0.0.0.0:5044 to allow access from other LAN hosts.

    V1

    boolean

    No

    Whether to use the Lumberjack V1 protocol. Default: false. Logstash uses Lumberjack V1.

    V2

    boolean

    No

    Whether to use the Lumberjack V2 protocol. Default: true. Beats uses Lumberjack V2.

    SSLCA

    string

    No

    Path of the CA-issued signing certificate. Default: empty. Not required for self-signed certificates.

    SSLCert

    string

    No

    Path of the SSL certificate. Default: empty.

    SSLKey

    string

    No

    Path of the private key for the certificate. Default: empty.

    InsecureSkipVerify

    boolean

    No

    Whether to skip SSL verification. Default: false (SSL verification is performed).

  6. Create indexes and preview data. Then, click Next. By default, full-text indexing is enabled in Simple Log Service. You can also manually create field indexes for the collected logs or click Automatic Index Generation. Then, Simple Log Service generates field indexes. For more information, see Create indexes.

    Important

    If you want to query all fields in logs, we recommend that you use full-text indexes. If you want to query only specific fields, we recommend that you use field indexes. This helps reduce index traffic. If you want to analyze fields, you must create field indexes. You must include a SELECT statement in your query statement for analysis.

  7. Click Query Log to go to the Query & Analysis page for the Logstore.

    You may need to wait about one minute for the indexes to become effective. You can then view the collected logs on the Raw Logs tab. For more information, see Quick start for log query and analysis.

Troubleshooting

If no data appears on the preview or query page after you configure Logtail to collect logs, see Troubleshoot Logtail collection failures.

What to do next

After Logtail collects and sends data to Simple Log Service, you can view the data in the console. The following example shows PacketBeat output:

_@metadata_beat:  packetbeat
_@metadata_type:  doc
_@metadata_version:  6.2.4
_@timestamp:  2018-06-05T03:58:42.470Z
__source__:  **.**.**.**
__tag__:__hostname__:  *******
__topic__:  
_beat_hostname:  bdbe0b8d53a4
_beat_name:  bdbe0b8d53a4
_beat_version:  6.2.4
_bytes_in:  56
_bytes_out:  56
_client_ip:  192.168.5.2
_icmp_request_code:  0
_icmp_request_message:  EchoRequest(0)
_icmp_request_type:  8
_icmp_response_code:  0
_icmp_response_message:  EchoReply(0)
_icmp_response_type:  0
_icmp_version:  4
_ip:  127.0.0.1
_path:  127.0.0.1
_responsetime:  0
_status:  OK
_type:  icmp