We're launching a new cybersecurity venture! Learn more about Snowbit >

Fluent Bit Fluent Bit

Last Updated: Apr. 17, 2022

Coralogix provides seamless integration with Fluent-Bit so you can send your logs from anywhere and parse them according to your needs.


This document includes cluster dependent URL’s. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.

 Elasticsearch-APISSL CertificatesCluster URL
  • Have Fluent-Bit installed, for more information on how to implement: Fluent-Bit installation docs.
  • Have Coralogix output plugin installed.


You must provide the following four variables when creating a Coralogix logger instance.

Private Key –  A unique ID that represents your Coralogix team. The private key can be found under ‘Data Flow’->’API Keys’. Use the ‘Send Your Logs’ key at the bottom. Please note that the key should be inserted without quotation marks or apostrophes.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.

SubSystem Name – Your application probably has multiple subsystems, for example, Backend servers, Middleware, Frontend servers, etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.


$ wget -O /fluent-bit/plugins/out_coralogix.so https://github.com/coralogix/integrations-docs/raw/master/integrations/fluent-bit/plugin/out_coralogix.so


Open your Fluent-Bit configuration file and add Coralogix output:

    # setting location for Coralogix plugin
    Plugins_File plugins.conf

    Name mem
    Tag memory

    Name        coralogix
    Match       *
    Private_Key YOUR_PRIVATE_KEY
    App_Name    APP_NAME
    Sub_Name    SUB_NAME

The first three keys (Private_key,App_nameSub_name) are mandatory.

Please add one of the lines from the table below to the configuration based on your account URL to the [output] section of the fluent-bit configuration file. This will help point your logs to the correct endpoint.

Account Url Ending with .usAccount Url Ending with .comAccount Url Ending with .in
Endpoint api.coralogix.usEndpoint api.coralogix.comEndpoint api.app.coralogix.in

Application and subsystem name

If you wish to set your application and subsystem names to a fixed value, in your config file use App_Name and Sub_Name as described above. In case your input stream is a JSON object, you can extract APP_NAME and/or SUB_NAME from the JSON using the App_Name_Key and Sub_Name_Key options in your config file instead of App_Name and Sub_Name:


For instance, with the bellow JSON App_Name_Key application will extract “testApp” into Coralogix applicationName.

    "application": "testApp",
    "subsystem": "testSub",
    "code": "200",
    "stream": "stdout",
    "timestamp": "2016-07-20T17:05:17.743Z",
    "message": "hello_world",

*Note – nested JSONs are also supported so you can extract into App_Name_Key and/or Sub_Name_Key nested values, e.g. App_Name_Key log.application.

Record content

In case your input stream is a JSON object and you don’t want to send the entire JSON, rather just a portion of it, you can add the Log_Key parameter, in your Fluent-Bit configuration file–>output section, with the name of the key you want to send. For instance, with the above example, if you write:

Log_Key message

then only the key message will be sent. If you do want to send the entire JSON then you can just delete this parameter from your configuration file.


If you want to use some field as timestamp in Coralogix, you can use Time_Key option:

Time_Key timestamp

then you will see that logs records have timestamp from this field.

Note: We accept only logs that are not older than 24 hours.


On host machine

If your Coralogix account top-level domain is different than ‘.com’ set the following environment variable

CORALOGIX_LOG_URL=https://api.Cluster URL/logs/rest/singles

To start Fluent-Bit with Coralogix output plugin, execute:

$ fluent-bit -e /fluent-bit/plugins/out_coralogix.so -c /fluent-bit/etc/fluent-bit.conf

or add Coralogix output plugin to /fluent-bit/etc/plugins.conf file:

    Path /fluent-bit/plugins/out_coralogix.so


Build a Docker image with your fluent-bit.conf:

If your Coralogix account top-level domain is different than ‘.com’ set the following environment variable

CORALOGIX_LOG_URL=https://api.Cluster URL/logs/rest/singles
FROM golang:alpine AS builder
RUN apk add --no-cache gcc libc-dev git
WORKDIR /go/src/app
RUN wget https://raw.githubusercontent.com/fluent/fluent-bit/master/conf/plugins.conf && \
    echo "    Path /fluent-bit/plugins/out_coralogix.so" | tee -a plugins.conf
RUN go mod init
RUN wget https://raw.githubusercontent.com/coralogix/integrations-docs/master/integrations/fluent-bit/plugin/out_coralogix.go && \
    go get . && \
    go build -buildmode=c-shared -o out_coralogix.so .

FROM fluent/fluent-bit:1.4
MAINTAINER Coralogix Inc. <[email protected]>
LABEL Description="Special Fluent-Bit image for Coralogix integration" Vendor="Coralogix Inc." Version="1.0.0"
COPY --from=builder /lib/libc.musl-x86_64.so* /lib/x86_64-linux-gnu/
COPY --from=builder /go/src/app/out_coralogix.so /fluent-bit/plugins/
COPY --from=builder /go/src/app/plugins.conf /fluent-bit/etc/
COPY fluent-bit.conf /fluent-bit/etc/

Before deploying your container don’t forget to mount volume with your logs.



  • Linux x64
  • Go version >= 1.11.x


You can download sources here.


$ cd plugin/
$ make

Auto-mapping support

In case your raw log message is a JSON object containing fields with information such as geographic location (lat, lon), DateTime, or Ip address, you may change and add a specific suffix (see followed examples) to the key name using a filter in your configuration (or by using Coralogix parsing rules) so the same field will be automatically mapped as geo-pointdateIP respectively. As a result, you will be able to create a geo-location map visualization, use your log timestamp as the timestamp in range queries, and with Kibana visualization and query IP addresses using the CIDR notation.

E.g. Geographic location

Original log

  "text": "Geo-point data",
  "location": { 
    "lat": 41.12,
    "lon": -71.34

Adding _geopoint suffix to the location object name

  "text": "Geo-point data",
  "location_geopoint": { 
    "lat": 41.12,
    "lon": -71.34

E.g. DateTime

Original log

  "time": "2020-10-13T09:45:33.783441Z",

Adding _custom_timestamp suffix to the time key name

 "time_custom_timestamp": "2020-10-13T09:45:33.783441Z",

Note that the time format must be date_optional_time or strict_date_optional_time.

E.g. Ip

Original log

  "ip_addr": "",

Adding _ipaddr suffix to the location object name

  "ip_addr_ipaddr": "",

If you need additional support or have any questions, our support team is available to you 24/7 via our in-app chat.

On this page