Hi everyone, I have a question when should I use TCP, and when should I use UDP to forward logs? Or is it better to use TCP or UDP?
The situation is about Sending Logs from External SIEM (include ArcSight, Qradar, Splunk, ELK...) to Receiver Elastic Agent or Logstash with method open the listen port on Elastic Agent using "Custom TCP/UDP logs" integration.
Note: This situation is not from Elastic Agent or Logstash forwarded to Elasticsearch, don't be confused please!
Many thanks!
Hello, Is anyone here? Please help me
Welcome to our community! 
We are happy to help, but we don't provide SLAs on response times sorry.
TCP means you won't lose data, UDP means you will. So it comes down to the requirements you have for your logs and data.
Hello,
There is no need to bump up your post when not even a full day has passed, keep in mind that this forum has no SLA, even more in this time of the year.
This depends entirely on your infrastructure and what you will monitor. If you should use TCP or UDP or which one is better is not a question related to the Elastic Stack, it is a network question.
Basically TCP is more reliable and will try to resend lost packets, but has a little more overhead, UDP is less reliable and will not resend lost packets, but has less overhead.
You can read this post about the difference between the protocols.
Thanks for replying. Since Elastic Agent or Logstash both have the ability to receive Logs using UDP and TCP, just wondered 
. Thanks again for the reply!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.