How to manage the Logstash service with systemctl in Linux

Keeping the Logstash service under control makes pipeline rollouts predictable and restores event processing quickly after upgrades, crashes, or resource pressure.

On systemd-based systems, the Logstash package installs a unit named logstash.service, with runtime state exposed through systemctl and logs available in journald via journalctl.

Restarts briefly pause ingestion and can trigger back-pressure from shippers, so service actions should be timed around maintenance windows and followed by a status and log check to confirm pipelines and the HTTP API have started cleanly.

1. Check the Logstash service status.

   $ sudo systemctl --no-pager status logstash
   ● logstash.service - logstash
        Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
        Active: active (running) since Wed 2026-01-07 04:23:00 UTC; 22min ago
      Main PID: 12684 (java)
         Tasks: 101 (limit: 28486)
        Memory: 1.1G (peak: 1.1G)
           CPU: 1min 6.928s
        CGroup: /system.slice/logstash.service
                └─12684 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=true -XX:+HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -Dlog4j2.isThreadContextMapInheritable=true -Djruby.regexp.interruptible=true -Djdk.io.File.enableADS=true --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.nio.channels=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.management/sun.management=ALL-UNNAMED -Dio.netty.allocator.maxOrder=11 -cp /usr/share/logstash/vendor/jruby/lib/jruby.jar:/usr/share/logstash/logstash-core/lib/jars/checker-qual-3.42.0.jar:/usr/share/logstash/logstash-core/lib/jars/commons-codec-1.17.0.jar:/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.1.0.jar:/usr/share/logstash/logstash-core/lib/jars/commons-logging-1.3.1.jar:/usr/share/logstash/logstash-core/lib/jars/error_prone_annotations-2.26.1.jar:/usr/share/logstash/logstash-core/lib/jars/failureaccess-1.0.2.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.22.0.jar:/usr/share/logstash/logstash-core/lib/jars/guava-33.1.0-jre.jar:/usr/share/logstash/logstash-core/lib/jars/httpclient-4.5.14.jar:/usr/share/logstash/logstash-core/lib/jars/httpcore-4.4.16.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.16.2.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.16.2.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-2.16.2.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.16.2.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.1.0.jar:/usr/share/logstash/logstash-core/lib/jars/javassist-3.30.2-GA.jar:/usr/share/logstash/logstash-core/lib/jars/jsr305-3.0.2.jar:/usr/share/logstash/logstash-core/lib/jars/jvm-options-parser-8.19.9.jar:/usr/share/logstash/logstash-core/lib/jars/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-1.2-api-2.17.2.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.17.2.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.17.2.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-jcl-2.17.2.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.17.2.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/reflections-0.10.2.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.32.jar:/usr/share/logstash/logstash-core/lib/jars/snakeyaml-2.2.jar org.logstash.Logstash --path.settings /etc/logstash
   ##### snipped #####

2. Start the Logstash service.

   $ sudo systemctl start logstash

3. Stop the Logstash service.

   $ sudo systemctl stop logstash

   Stopping the service halts ingestion and event processing until the service is started again.

4. Restart the Logstash service to apply changes.

   $ sudo systemctl restart logstash

   Pipeline initialization can take time; check the journal if startup appears slow.

5. Enable Logstash to start on boot.

   $ sudo systemctl enable logstash
   Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /usr/lib/systemd/system/logstash.service.

   Use systemctl enable --now logstash to enable and start in a single command.

6. Disable Logstash from starting on boot.

   $ sudo systemctl disable logstash
   Removed "/etc/systemd/system/multi-user.target.wants/logstash.service".

7. Review recent service logs in the system journal.

   $ sudo journalctl --unit=logstash --no-pager --lines=120
   Jan 07 04:23:30 host logstash[12684]: [2026-01-07T04:23:30,131][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
   Jan 07 04:23:30 host logstash[12684]: [2026-01-07T04:23:30,844][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>10, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1250, "pipeline.sources"=>["/etc/logstash/conf.d/10-main.conf", "/etc/logstash/conf.d/15-beats-input-5045.conf", "/etc/logstash/conf.d/50-stdout-output.conf"], :thread=>"#<Thread:0x7ae57647 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:138 run>"}
   Jan 07 04:23:39 host logstash[12684]: [2026-01-07T04:23:39,284][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
   ##### snipped #####

   Add --follow to stream logs live until interrupted.

8. Verify the service is active after changes.

   $ sudo systemctl is-active logstash
   active