Skip to main content
Logstash forwards logs to Bronto using its built-in http output plugin. This page covers Logstash configuration only. For installation instructions, see the Logstash installation guide. For the full Logstash configuration reference, see the Logstash documentation.

Endpoint and authentication

Use the ingestion endpoint for your Bronto region:
RegionEndpoint
EUhttps://ingestion.eu.bronto.io
UShttps://ingestion.us.bronto.io
Every request requires these headers:
HeaderRequiredDescription
x-bronto-api-keyRequiredYour Bronto API key.
x-bronto-datasetRequiredThe dataset to route logs to.
x-bronto-collectionRequiredThe collection to group datasets under.
x-bronto-tagsOptionalKey-value tag pairs (e.g. env=prod,team=platform). See Partitions.

Minimal configuration

Tail a log file and forward to Bronto.
/etc/logstash/conf.d/bronto.conf
input {
  file {
    id   => "app_input"
    path => "/path/to/your/logs"
  }
}

output {
  http {
    id          => "bronto_output"
    url         => "https://ingestion.<REGION>.bronto.io"
    http_method => "post"
    format      => "json"
    headers     => {
      "x-bronto-api-key"    => "<YOUR_API_KEY>"
      "x-bronto-dataset"    => "<YOUR_DATASET_NAME>"
      "x-bronto-collection" => "<YOUR_COLLECTION_NAME>"
    }
  }
}
For the full HTTP output configuration reference, see the Logstash HTTP output documentation.

Parsing unstructured logs

Rather than building grok patterns inside Logstash, ship raw log lines to Bronto and use the Bronto Custom Parser to extract structured fields server-side. The Custom Parser uses LLMs to generate parsers automatically and ships with built-in support for Apache, IIS, HAProxy, Syslog, key-value, and custom formats — no regex maintenance required.

Common patterns

The patterns below cover configuration concerns most Bronto customers run into.

Adding metadata to every log

Use the mutate filter to inject metadata — e.g. a deployment identifier, branch name, or region — into every event. Values can be referenced from environment variables via ${VAR}.
filter {
  mutate {
    add_field => {
      "branch"      => "${APP_GIT_BRANCH}"
      "environment" => "${APP_ENV}"
    }
  }
}

Multi-line logs (stack traces)

Multi-line application output — like Java, Python, or Ruby stack traces — must be reassembled at the input stage so each stack trace ships as a single log record. Use the multiline codec on the input.
input {
  file {
    id   => "app_input"
    path => "/var/log/app.log"
    codec => multiline {
      pattern => "^\s"
      what    => "previous"
    }
  }
}
The pattern above appends any line beginning with whitespace to the previous line — a common heuristic for stack traces. Adjust the pattern for your log format. See the multiline codec documentation for details.

Routing multiple log sources to separate datasets

A single Logstash instance can ship logs from multiple applications to different Bronto datasets. Tag each input distinctly, then use a conditional on each output.
/etc/logstash/conf.d/bronto.conf
input {
  file {
    id   => "api_input"
    path => "/var/log/api.log"
    tags => ["api"]
  }
  file {
    id   => "worker_input"
    path => "/var/log/worker.log"
    tags => ["worker"]
  }
}

output {
  if "api" in [tags] {
    http {
      id          => "bronto_api"
      url         => "https://ingestion.<REGION>.bronto.io"
      http_method => "post"
      format      => "json"
      headers     => {
        "x-bronto-api-key"    => "<YOUR_API_KEY>"
        "x-bronto-dataset"    => "api-service"
        "x-bronto-collection" => "<YOUR_COLLECTION_NAME>"
      }
    }
  }

  if "worker" in [tags] {
    http {
      id          => "bronto_worker"
      url         => "https://ingestion.<REGION>.bronto.io"
      http_method => "post"
      format      => "json"
      headers     => {
        "x-bronto-api-key"    => "<YOUR_API_KEY>"
        "x-bronto-dataset"    => "worker-service"
        "x-bronto-collection" => "<YOUR_COLLECTION_NAME>"
      }
    }
  }
}

Verify log collection

Once you have applied your configuration and restarted Logstash, you can expect to see your log data being ingested to Bronto and accessible via the Search page.

Further reading