How to configure a Logstash file output

Writing Logstash events to local disk creates an audit-friendly archive and enables batch reprocessing when an external datastore is unnecessary or temporarily unavailable.

The file output plugin appends each event to a file on the Logstash host, using a codec to serialize the event body. Time-based rotation is typically handled by embedding a date pattern in path (for example output-%{+yyyy.MM.dd}.json), which causes Logstash to write to a new filename when the evaluated path changes.

File outputs do not enforce retention, compression, or disk quotas, so high-volume pipelines can exhaust free space and disrupt system services. The output directory must be writable by the Logstash service account (commonly the logstash user), and the example pipeline below reads from /var/log/syslog as an input source commonly found on Ubuntu or Debian.

1. Create an output directory owned by the logstash user for archived events.

   $ sudo install -d -o logstash -g logstash -m 0750 /var/log/logstash

   Unbounded file output can fill /var and prevent system or application services from writing logs or temporary files.

2. Create a pipeline configuration file at /etc/logstash/conf.d/40-file-output.conf.

   input {
     file {
       path => "/var/log/syslog"
       start_position => "end"
       sincedb_path => "/var/lib/logstash/sincedb-syslog"
     }
   }
   
   output {
     file {
       path => "/var/log/logstash/output-%{+yyyy.MM.dd}.json"
       codec => json_lines
     }
   }

   Use an absolute path for the output file to avoid writing under an unexpected working directory. Adjust the input path when /var/log/syslog is not present.

3. Test the pipeline configuration for syntax errors.

   $ sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash --config.test_and_exit
   ##### snipped #####
   Configuration OK

   Related: How to test a Logstash pipeline configuration

4. Restart the logstash service to load the updated pipeline.

   $ sudo systemctl restart logstash

   Related: How to manage the Logstash service with systemctl in Linux

5. Confirm the logstash service is running after the restart.

   $ sudo systemctl status logstash --no-pager
   ● logstash.service - logstash
        Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
        Active: active (running) since Wed 2026-01-07 05:01:53 UTC; 9s ago
      Main PID: 18526 (java)
         Tasks: 75 (limit: 28486)
        Memory: 712.6M (peak: 716.8M)
           CPU: 26.054s
   ##### snipped #####

   Related: How to manage the Logstash service with systemctl in Linux

6. Write a test syslog message so the pipeline produces an event.

   $ logger -t logstash-test "logstash file output test"

   The tag logstash-test makes the test event easy to locate in the output file.

7. Verify an output file has been created for the current date.

   $ sudo ls -l /var/log/logstash/output-*.json
   -rw-r--r-- 1 logstash logstash 7623 Jan  7 05:02 /var/log/logstash/output-2026.01.07.json

8. Verify the file output contains the test message.

   $ sudo grep -m 1 logstash-test /var/log/logstash/output-*.json
   {"host":{"name":"host"},"ingest_source":"beats","event":{"original":"2026-01-07T05:02:08.754281+00:00 host logstash-test: logstash file output test"},"@version":"1","message":"2026-01-07T05:02:08.754281+00:00 host logstash-test: logstash file output test","log":{"file":{"path":"/var/log/syslog"}},"@timestamp":"2026-01-07T05:02:08.817638721Z"}