explaingit

elastic/logstash

Analysis updated 2026-06-24

14,847JavaAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

Server-side data processing pipeline that ingests logs and events from many sources, transforms them, and ships them to Elasticsearch or other stores.

Mindmap

mindmap
  root((logstash))
    Inputs
      Log files
      Syslog streams
      Beats events
      Kafka topics
    Outputs
      Elasticsearch index
      File sinks
      Kafka topics
      S3 buckets
    Use Cases
      Centralize logs
      ETL data flow
      Real-time enrich
      Ship to SIEM
    Tech Stack
      Java
      JRuby
      Gradle
      RSpec
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Ship application logs from many servers into one Elasticsearch cluster for search

USE CASE 2

Parse and enrich syslog data with grok filters before storing it

USE CASE 3

Move events between Kafka, files, and databases as a flexible ETL pipeline

USE CASE 4

Build an OSS-only Logstash from source to avoid the Elastic-licensed X-Pack code

What is it built with?

JavaJRubyGradleRubyJUnit

How does it compare?

elastic/logstashtheonedev/onedeveclipse-vertx/vert.x
Stars14,84714,98614,659
LanguageJavaJavaJava
Setup difficultyhardmoderatemoderate
Complexity4/54/54/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Building from source needs JDK 21, JRuby 10.0.5.0, rake, bundler, and a Gradle bootstrap before any test or distribution task will run.

Dual-licensed: core engine under Apache 2.0, X-Pack features under the Elastic License which restricts hosting it as a managed service.

In plain English

Logstash is one of the four pieces in the Elastic Stack, sitting next to Beats, Elasticsearch, and Kibana. The README describes it as a server-side data processing pipeline. In plain terms, it takes data such as log files, events, or other streams from many sources at once, transforms or filters the data along the way, and then sends the result somewhere else for storage or analysis. The Elastic company built it to feed their search engine Elasticsearch, but the destination can be anything you like. The project is extensible by design. The README mentions that there are over 200 plugins already written, and that writing your own is easy. Plugins live in separate repositories under the logstash-plugins GitHub organisation, and each one is packaged as a self-contained Ruby gem published to RubyGems.org. Bug reports and pull requests for a specific plugin are meant to go to that plugin's own repo, while this main repository handles the core engine. Most of the README is aimed at people who want to build Logstash from source rather than just use it. The prerequisites are JDK 21, JRuby 10.0.5.0, and the Ruby tools rake and bundler. There are notes for using the RVM Ruby version manager, and instructions for setting environment variables that control whether you build the full version or only the open-source-licensed parts. The build itself runs through Gradle. The README shows the commands to install development dependencies, install default plugins, and then start Logstash with a tiny pipeline that reads from your keyboard and prints back to the screen. There is also a tip about a tool called Drip, which keeps the Java virtual machine warm between commands so that repeated test runs start faster. The rest of the file covers testing and building release artifacts. Core tests use RSpec for the Ruby code and JUnit for the Java code, and Gradle tasks are provided for unit tests, Java-only tests, integration tests, and single specs. For shipping, Gradle tasks build tarball or zip distributions in a local build directory.

Copy-paste prompts

Prompt 1
Write a Logstash pipeline that reads Nginx access logs, parses them with grok, and writes to Elasticsearch
Prompt 2
Set up Logstash with a Kafka input and an Elasticsearch output for a buffered log pipeline
Prompt 3
Build Logstash from source with the OSS env var so it excludes X-Pack code
Prompt 4
Create a custom Logstash filter plugin packaged as a Ruby gem and load it locally
Prompt 5
Run Logstash core tests with the gradle test task and capture the JUnit report

Frequently asked questions

What is logstash?

Server-side data processing pipeline that ingests logs and events from many sources, transforms them, and ships them to Elasticsearch or other stores.

What language is logstash written in?

Mainly Java. The stack also includes Java, JRuby, Gradle.

What license does logstash use?

Dual-licensed: core engine under Apache 2.0, X-Pack features under the Elastic License which restricts hosting it as a managed service.

How hard is logstash to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is logstash for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.