ECS Logging for PHP / Question

Hi guys, Im trying to ship my application events to my elasticsearch platform.
My app and elk are running on different servers (ping reachable).
I already have the php library working on a little example script taken from
After execution it echoes:
{"@timestamp":"2021-02-21T20:59:23.316323+00:00","log.level":"WARNING","message":"Be aware that...","ecs.version":"1.2.0","log":{"logger":"MyLogger"}}

In order to ship this line to my elk server, have following thoughts:
1_ Using elasticsearch api:
a ) Where should I define elasticsearch api url ?
b) Where should I define the index ?

2_ Using filebeat , (this is what I understand is needed)
a) Write logs lines to some file.
b) I install filebeat on my application server.
c) Config application log file path and provide filebeat reading permission.
d) Config filebeat parser to read my log lines.
e) Config kibana and elasticsearch api urls.
and .... filebeat will automagically create the index in elasticsearch and visualization in kibana?

I preffer option 1 .. it seems easier.
btw : Please provide more examples or complete documentation for php login library.
I can not find nothing to follow.

We aren't all guys :slight_smile:

That said, I would log this to a file and then use Filebeat. Otherwise you need to handle things like connectivity, load balancing, failures, retries etc etc in your code. Filebeat handles all of this, and you also have a local backup of your log in case things go really wrong.

Sorry for the guys thing ... (I thought guys includes both girls and boys)
Thanks for your words.
I totally agree with your idea.
On the other hand, I need to log the activity for a very small application running on a very small platform.
I would like to avoid rotating a log file and adding extra cpu load with filebeat.
So ... I steel need to try to post directly to the api.
I will investigate a little bit more and of course consider your idea as a second option.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.