How to configure a Logstash file output

Writing Logstash events to a local file creates a simple archive, makes raw event inspection easier during pipeline changes, and provides a fallback destination when a remote output is temporarily unavailable.

The file output plugin writes each event to the path defined in the pipeline and uses the json_lines codec by default, so each line on disk is one JSON event. The output path can include event fields and the event timestamp, which makes daily file rotation possible without handing rotation logic to another plugin.

File outputs do not manage retention, compression, or free space, so an unattended pipeline can fill the target filesystem. Current Logstash 9.x releases also block superuser runs unless allow_superuser is enabled, so configuration tests are safest under the logstash service account with a throwaway --path.data directory. The example below uses a dedicated sample input file instead of /var/log/syslog so the workflow stays predictable on systems that do not run a traditional syslog daemon.

Steps to configure a Logstash file output:

  1. Create dedicated input and output directories for the example pipeline. 
    $ sudo install -d -o logstash -g logstash -m 0750 /var/lib/logstash/examples /var/log/logstash

    File output keeps appending events until disk space or filesystem quotas stop it, so place the directory on storage that is monitored and rotated appropriately.

  2. Create an example source file that the logstash service account can read. 
    $ sudo install -o logstash -g logstash -m 0640 /dev/null /var/lib/logstash/examples/file-output.log
  3. Create a pipeline configuration file at /etc/logstash/conf.d/40-file-output.conf. 
    input {
  file {
    path => ["/var/lib/logstash/examples/file-output.log"]
    start_position => "end"
    sincedb_path => "/var/lib/logstash/file-output-demo.sincedb"
  }
}

output {
  file {
    id => "local_file_archive"
    path => "/var/log/logstash/output-%{+YYYY.MM.dd}.json"
    codec => json_lines
  }
}

    The daily suffix in path is derived from the event timestamp, so delayed or backfilled events can land in an older dated file. The explicit id makes this output easier to identify in Logstash monitoring data when a pipeline has multiple outputs.

    The file input path must stay absolute. If the file output path is absolute, keep a fixed directory prefix before any dynamic fields.

  4. Test the pipeline configuration with the packaged settings directory and a temporary data path. 
    $ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash --path.data /tmp/logstash-configtest --config.test_and_exit
Using bundled JDK: /usr/share/logstash/jdk
Configuration OK
[2026-04-07T08:39:13,773][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

    Current Logstash releases fail the same command when run as root unless allow_superuser is enabled in /etc/logstash/logstash.yml.

    Related: How to test a Logstash pipeline configuration

  5. Restart the Logstash service to load the new pipeline. 
    $ sudo systemctl restart logstash

    Restarting Logstash restarts every active pipeline in the service, which can briefly pause ingestion while plugins reopen inputs and outputs.

    Related: How to manage the Logstash service with systemctl in Linux

  6. Confirm the Logstash service is running after the restart. 
    $ sudo systemctl status logstash --no-pager
● logstash.service - logstash
     Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-04-07 08:39:35 UTC; 8s ago
   Main PID: 20457 (java)
      Tasks: 101 (limit: 28486)
     Memory: 1.1G (peak: 1.1G)
        CPU: 31.262s
##### snipped #####

    Related: How to manage the Logstash service with systemctl in Linux

  7. Append a test line to the example source file so the pipeline has a new event to write. 
    $ printf '2026-04-07T12:34:56Z logstash-file-test file output example\n' | sudo tee -a /var/lib/logstash/examples/file-output.log
2026-04-07T12:34:56Z logstash-file-test file output example

    Because start_position is set to end, append the test line after the service is running so the input treats it as new data.

  8. Verify the file output path has produced a dated JSON file. 
    $ sudo ls -l /var/log/logstash/output-*.json
-rw-r--r-- 1 logstash logstash 211 Apr  7 08:42 /var/log/logstash/output-2026.04.07.json

    The file output plugin appends by default and recreates the target file automatically if it is deleted before the next event arrives.

  9. Confirm the output file contains the test event. 
    $ sudo grep -m 1 logstash-file-test /var/log/logstash/output-*.json
{"@version":"1","message":"logstash-file-test file output example","host":{"hostname":"loghost01"},"event":{"original":"logstash-file-test file output example"},"@timestamp":"2026-04-07T08:42:29.875345302Z"}

    If the grep returns no match, append another line and inspect journalctl –unit logstash –since “5 minutes ago” –no-pager for permission errors, path mistakes, or pipeline startup failures.