Before using Lstail, you need to create a config file called lstail.conf. Lstail will search for lstail.conf in the following locations (in that order):

  • /etc/lstail.conf
  • ~/.config/lstail.conf
  • lstail.conf (in current working directory)

Alternatively, you can specify the name of the config file to be read using the --config command line parameter.

An example config file can be found below or online at The important part to modify in the config file is the server section which must be edited to point to your ElasticSearch instance to query data from.

Configuration file

timeout = 30
# refresh interval for use with --follow
refresh_interval = 5.0
initial_query_size = 10
no_header = false
header_color = light_yellow
# time range from now in the past to query events initially (e.g. 2h)
# if not specified, "1d" is used as fallback to prevent querying all documents from ElasticSearch
# can be overridden via command line option --range
# suffixes: m (minutes), h (hours), d (days)
initial_time_range =
# disable SSL certificate verification if necessary
verify_ssl_certificates = true
# index to be searched unless a saved Kibana search is specified
default_index = logstash-*
verbose = false

# local ElasticSearch cluster
# set enable to false to ignore this server block
url =

# remote ElasticSearch cluster with Basic Auth
url =
username = foobar
password = secret

# Proxy ElasticSearch access through a Kibana instance
url =
username = foobar
password = secret
# new-line separated list(indent new lines) of additional HTTP headers to be sent,
# e.g. useful when using Kibana as ElasticSearch proxy:
# url = and headers = kbn-xsrf: 1
# Kibana 4.x wants: kbn-version: 4.x.y
headers = kbn-xsrf: 1
  some-other-header: foobar

# the name of the index of Kibana (4.x or newer) in ElasticSearch
kibana_index_name = .kibana
# name/title of the default Saved Search from Kibana to be used for querying
# can be overridden via command line
#default_saved_search = Syslog lstail
# default set of fields to display, used if no Kibana saved search is provided or found
# these are also used for internal log messages
default_columns: timestamp, hostname, program, message

# log level names to be interpreted as warnings and errors (in lowercase, used for coloring)
log_level_names_warning: warn, warning
log_level_names_error: fatal, emerg, alert, crit, critical, error, err

timestamp = %Y-%m-%dT%H:%M:%S.%f

# Display columns:
# - the order of the following sections is important, the columns are displayed in that order
# - the columns "timestamp" and "message" are essentially and should not be removed
# This column specification is essential, do not remove it
# "names" is a list of alternative column names which are mapped to this column if found
names = timestamp, @timestamp, request_time
# Available colors = blue, green, cyan, red, magenta, brown, gray, yellow, dark_gray,
# light_blue, light_green, light_cyan, light_red, light_magenta, white, black
# Use empty value for default terminal color
color =
padding = 23
# see

names = syslog_severity, level, log_level, fail2ban_level, dj_level
display = false
color =
padding =

names = hostname, host, fromhost, logsource
color = magenta
padding = 20

names = program, application, programname
color = green
padding = 15

names = message, answer
color =
padding =

names = http_host
color = magenta
padding = 20

names = http_clientip, client, dns.client_ip
color = green
padding = >39

names = http_verb, type, dns.type
color = light_red
padding = 13

names = geoip.as_org
padding = 25

names = http_code, ttl
color = light_blue
padding = 9

names = http_auth
color = light_blue
padding = 9

names = query, dns.query
color = light_green
padding = 35

names = dns.answer
color =
padding =