Is it better to send all beats data to logstash or send it directly to elasticsearch? I'm in the process of engineering my setup here and was wonder what is considered best practice?
i always had logstash parsing the log messages before sending to elasticsearch.
now im testing a setup with two instances, where filebeat native modules (like apache) send to elasticsearch, and others (like cyrus, postfix) send to logstash for processing.
i'm thinking about converting my logstash parse rules to filebeat modules, but that would take some time...
It depends on what feature set you need. Logstash is much more powerful in processing data then the ingest pipeline is and for example has outputs and a local queue. If you only need to features which are provided by Filebeat + ES I would recommend the simpler setup.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.