How to configure a Logstash file output

Writing Logstash events to local disk creates an audit-friendly archive and enables batch reprocessing when an external datastore is unnecessary or temporarily unavailable.

The file output plugin appends each event to a file on the Logstash host, using a codec to serialize the event body. Time-based rotation is typically handled by embedding a date pattern in path (for example output-%{+yyyy.MM.dd}.json), which causes Logstash to write to a new filename when the evaluated path changes.

File outputs do not enforce retention, compression, or disk quotas, so high-volume pipelines can exhaust free space and disrupt system services. The output directory must be writable by the Logstash service account (commonly the logstash user), and the example pipeline below reads from /var/log/syslog as an input source commonly found on Ubuntu or Debian.

Steps to configure a Logstash file output:

Create an output directory owned by the logstash user for archived events.
```
$ sudo install -d -o logstash -g logstash -m 0750 /var/log/logstash
```
Unbounded file output can fill /var and prevent system or application services from writing logs or temporary files.

Create a pipeline configuration file at /etc/logstash/conf.d/40-file-output.conf.

input {
  file {
    path => "/var/log/syslog"
    start_position => "end"
    sincedb_path => "/var/lib/logstash/sincedb-syslog"
  }
}

output {
  file {
    path => "/var/log/logstash/output-%{+yyyy.MM.dd}.json"
    codec => json_lines
  }
}

Use an absolute path for the output file to avoid writing under an unexpected working directory. Adjust the input path when /var/log/syslog is not present.

Test the pipeline configuration for syntax errors.

$ sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash --config.test_and_exit
##### snipped #####
Configuration OK

Restart the logstash service to load the updated pipeline.
```
$ sudo systemctl restart logstash
```
Related: How to manage the Logstash service with systemctl in Linux

Confirm the logstash service is running after the restart.

$ sudo systemctl status logstash --no-pager
● logstash.service - logstash
     Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
     Active: active (running) since Wed 2026-01-07 05:01:53 UTC; 9s ago
   Main PID: 18526 (java)
      Tasks: 75 (limit: 28486)
     Memory: 712.6M (peak: 716.8M)
        CPU: 26.054s
##### snipped #####

Write a test syslog message so the pipeline produces an event.
```
$ logger -t logstash-test "logstash file output test"
```
The tag logstash-test makes the test event easy to locate in the output file.

Verify an output file has been created for the current date.

$ sudo ls -l /var/log/logstash/output-*.json
-rw-r--r-- 1 logstash logstash 7623 Jan  7 05:02 /var/log/logstash/output-2026.01.07.json

Verify the file output contains the test message.

$ sudo grep -m 1 logstash-test /var/log/logstash/output-*.json
{"host":{"name":"host"},"ingest_source":"beats","event":{"original":"2026-01-07T05:02:08.754281+00:00 host logstash-test: logstash file output test"},"@version":"1","message":"2026-01-07T05:02:08.754281+00:00 host logstash-test: logstash file output test","log":{"file":{"path":"/var/log/syslog"}},"@timestamp":"2026-01-07T05:02:08.817638721Z"}

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.