Send logs from STDIN to Elasticsearch

A simple guide to send logs from STDIN to Elasticsearch in just a few minutes.
type: tutorialdomain: sourcesdomain: sinkssource: stdinsink: elasticsearch

Logs are an essential part of observing any service; without them you are flying blind. But collecting and analyzing them can be a real challenge -- especially at scale. Not only do you need to solve the basic task of collecting your logs, but you must do it in a reliable, performant, and robust manner. Nothing is more frustrating than having your logs pipeline fall on it's face during an outage, or even worse, disrupt more important services!

Fear not! In this guide we'll show you how to send send logs from STDIN to Elasticsearch and build a logs pipeline that will be the backbone of your observability strategy.


What is Elasticsearch?

Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. As a result, it is very commonly used to store and analyze log data. It ships with Kibana which is a simple interface for visualizing and exploring data in Elasticsearch.


How This Guide Works

We'll be using Vector to accomplish this task. Vector is a popular open-source utility for building observability pipelines. It's written in Rust, making it lightweight, ultra-fast and highly reliable. And we'll be deploying Vector as a sidecar.

The sidecar deployment strategy is designed to collect data from a single service. Vector has a tight 1 to 1 coupling with each service. Typically data is collected by tailing local files via Vector's file source, but can be collected through any of Vector's sources. The following diagram demonstrates how it works.

Vector Sidecar Deployment StrategyVector sidecar deployment strategy.
1. Your service logs to a shared resource
Such as a file on a shared volume or anything Vector can access.
2. Vector ingests the data
Vector ingests the data through undefined
3. Vector forwards the data
Vector will send logs to Elasticsearch (AWS, Elastic Cloud, self-hosted, etc).

What We'll Accomplish

To be clear, here's everything we'll accomplish in this short guide:

  • Accept new line delimited log data through STDIN.
    • Automatically enrich logs with host-level context.
  • Send logs to Elasticsearch (AWS, Elastic Cloud, self-hosted, etc).
    • Batch data to maximize throughput.
    • Dynamically partition logs across indexes.
    • Automatically retry failed requests, with backoff.
    • Buffer your data in-memory or on-disk for performance and durability.
  • All in just a few minutes!


  1. Install Vector

    curl --proto '=https' --tlsv1.2 -sSf | sh
    explain this command

    Or choose your preferred method.

  2. Configure Vector

    cat <<-VECTORCFG > vector.toml
    type = "stdin" # required
    inputs = ["in"] # required
    type = "elasticsearch" # required
    explain this command
  3. Start Vector

    vector --config vector.toml

    That's it! Simple and to the point. Hit ctrl+c to exit.

Next Steps

Vector is powerful utility and we're just scratching the surface in this guide. Here are a few pages we recommend that demonstrate the power and flexibility of Vector:

Vector Github repo 4k
Vector is free and open-source!
Vector getting started series
Go from zero to production in under 10 minutes!
Vector documentation
Thoughtful, detailed docs that respect your time.