Hello,
New to ELK trying to educate myself and find my way around...
I "inherited" a project where I have to update ELK (and the OS of the VMs it's running on) to the latest version. Our setup consists of a few hundred Linux systems (clients) sending systems logs through rsyslog to ELK forwarders, who in turn send the logs to Elasticsearch.
The reason we have forwarders are:
- Clients are in different (isolated) networks so there are two forwarders for each network where they send their logs to. It's only the forwarders on each isolated network that configured on the firewall to communicate with Elasticsearch (also on internal isolated network).
- As per policy, we are not allowed to install agents on the clients.
The ELK forwarders have Filebeat and Logstash installed.
My questions are:
- Should I replace Filebeat and Logstash with the Elastic Agent ?
- What is the advantage of having Logstash when processing
syslogdata?
Can it do something that Filebeat cannot do? - Whether I install Filebeat, Metricbeat, Heartbeat or I replace them with Elastic Agent, is it better to install the tarball version or RPM version ?
This is what I read here: "To simplify upgrading to future versions of Elastic Agent, we recommended that you use the tarball distribution instead of the RPM distribution."
Thanks a lot in advance for the guidance and support!