This plugin is used for transferring events from Logstash to Elasticsearch. This plugin is the recommended approach for pushing events/log data from Logstash to Elasticsearch. Once the data is in Elasticsearch, it can be easily visualized using Kibana. This plugin requires no mandatory parameters and it automatically tries to connect to Elasticsearch, which is hosted on localhost:9200.

The simple configuration of this plugin would be as follows:

#elasticsearch1.conf

input { 
  stdin{
      }
 } 

output { 
  elasticsearch {
  }
} 

Often, Elasticsearch will be hosted on a different server that's usually secure, and we might want to store the incoming data in specific indexes. Let's look at an example of this:

#elasticsearch2.conf

input { 
  stdin{
      }
 } 

output { 
  elasticsearch {
      index => "company"
      document_type => "employee"
      hosts => "198.162.43.30:9200"
      user => "elastic"
      password => "elasticpassword"
  }
} 

As we can see in the preceding code, incoming events would be stored in an Elasticsearch index named company (specified using the index parameter) under the employee type (specified using the document_type parameter). Elasticsearch is hosted at the 198.162.43.30:9200 address (specified using the document_type parameter), and the user credentials of Elasticsearch are elastic and elasticpassword (specified using the user and password parameters). 

If the index is not specified by default, the index pattern would be logstash-%(+YYYY.MM.dd) and the document_type would be set to the type event, if it existed; otherwise, the document type would be assigned the value of logs/events.

You can also specify the document_type index and the document_id dynamically by using syntax %(fieldname). In the hosts parameter, a list of hosts can be specified too. By default, the protocol that's used would be HTTP, if not specified explicitly while defining hosts.