Hi everyone, I have a question when should I use TCP, and when should I use UDP to forward logs? Or is it better to use TCP or UDP?
The situation is about Sending Logs from External SIEM (include ArcSight, Qradar, Splunk, ELK...) to Receiver Elastic Agent or Logstash with method open the listen port on Elastic Agent using "Custom TCP/UDP logs" integration. Note: This situation is not from Elastic Agent or Logstash forwarded to Elasticsearch, don't be confused please!
There is no need to bump up your post when not even a full day has passed, keep in mind that this forum has no SLA, even more in this time of the year.
This depends entirely on your infrastructure and what you will monitor. If you should use TCP or UDP or which one is better is not a question related to the Elastic Stack, it is a network question.
Basically TCP is more reliable and will try to resend lost packets, but has a little more overhead, UDP is less reliable and will not resend lost packets, but has less overhead.
You can read this post about the difference between the protocols.
Thanks for replying. Since Elastic Agent or Logstash both have the ability to receive Logs using UDP and TCP, just wondered . Thanks again for the reply!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.