Filebeat vs logstash for syslog

I've been using logstash to test ingesting logs from various network devices (mostly Cisco). It works well. I see that filebeat has support for syslog ingestion and specifically includes a Cisco module.

I can't seem to find the benefits of using filebeat over logstash for syslog. Are there capabilities that filebeat has that logstash doesn't? In my test bed, I have all my beats (packet, win, etc) sending to a logstash instance which passes it along to ES. In my test case using filebeat wouldn't eliminate logstash. I am using Elastic Common Schema which the beats seem to support out of the box.

In a linux world, filebeat reads logs written by rsyslog (or syslog service of choice) vs. rsyslog sending over udp (or tcp) syslog protocol which logstash can process.


  1. If your disk breaks, you can't log, filebeat can's send logs
  2. You have to read various log files
  3. Some "appliances" and most hardware won't let you install filebeat, the agent is required.


  1. If filebeat can't send, it will pickup where it left off from the files.
  2. filebeat modules "just work" for parsing even into Elastic's new SIEM.
  3. filebeat can load balance output to a list of redundant ingesting servers.
  4. If you need to add a non-syslog log (apache), filebeat is needed anyway.

Thanks @rugenl . I did find a deal breaker for filebeat & syslog in our environment. Filebeat seems to treat all syslogs sent to it as if they were created by the host it's running on. That kind of defeats the purpose. All syslogs appear to come from the same host

So it looks like I'm back to Logstash. I was really hoping to use the modules as they do simply just work like you stated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.