hi all,
I want to ship different logs located in different machines into a remote machine where one node of elasticsearch installed. for this purpose, i want to install filebeat on each machine where logs are; so according to number of machines, I will install filebeat. now i want to filter logs using logstash, actually filebeat ship logs into logstash, i have a question about where logstash should be installed? which one does lead to better performance and less resource consuming?
1- install logstash on each machine where filebeat installed and feed the filebeat output of that machine to its logstash, then all logstash tools send the logs to elasticsearch. (in this case the number of installed logstashes is same as number of installed filebeates).
2- install just one logstash and all filebeats ship their logs into that logstash.
thanks.