Filebeat shared or per application server

We have a .NET Framework stack where each application instance is deployed on its own windows server.

We want to move to ELK instead of just writing log files to a shared network drive.

What would be the best solution in your opinion? Having a single (or a set number) of filebeat instances in a Linux server that read logs from the share network drive (or mount to the windows server drives)?

Or having a Filebeat for every windows server that hosts an instance of the application, and sending it to a shared Logstash?

Would the latter pose any performance concerns?

Thank you.

Avoid reading logs from a network share, run filebeat on each server and have applications log to local disk.

Thank you for replying.
Could there be other solutions where I would have filebeat instances on separate server but just not use network drive, but instead do something else like mount the windows drive on the filebeat server?

Or is having filebeat per application server is the best solution overall?

I would avoid anything using the word "mount" :slight_smile:

Simple filebeat configurations don't seem to use a lot of resource per instance, they might use more depending on what all is done in modules and things I haven't used yet. We using filebeat to harvest logs from exchange servers without problems and there are a LOT of events.

1 Like