About Sending Logs from External SIEM (include ArcSight, Qradar, Splunk, ELK...) to Receiver Elastic Agent or Logstash with method TCP/UDP

Hi everyone, I have a question when should I use TCP, and when should I use UDP to forward logs? Or is it better to use TCP or UDP?

The situation is about Sending Logs from External SIEM (include ArcSight, Qradar, Splunk, ELK...) to Receiver Elastic Agent or Logstash with method open the listen port on Elastic Agent using "Custom TCP/UDP logs" integration.
Note: This situation is not from Elastic Agent or Logstash forwarded to Elasticsearch, don't be confused please!

Many thanks!

Hello, Is anyone here? Please help me

Welcome to our community! :smiley:

We are happy to help, but we don't provide SLAs on response times sorry.

TCP means you won't lose data, UDP means you will. So it comes down to the requirements you have for your logs and data.

1 Like

Hello,

There is no need to bump up your post when not even a full day has passed, keep in mind that this forum has no SLA, even more in this time of the year.

This depends entirely on your infrastructure and what you will monitor. If you should use TCP or UDP or which one is better is not a question related to the Elastic Stack, it is a network question.

Basically TCP is more reliable and will try to resend lost packets, but has a little more overhead, UDP is less reliable and will not resend lost packets, but has less overhead.

You can read this post about the difference between the protocols.

1 Like

Thanks for replying. Since Elastic Agent or Logstash both have the ability to receive Logs using UDP and TCP, just wondered :sweat_smile: . Thanks again for the reply!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.