Filebeat vs. rsyslog imfile module

Hi there,

In the context of a modern enterprise Linux environment, where rsyslog is pretty much omnipresent, I was wondering if there is any reason to prefer Filebeat vs. just using the imfile module of rsyslog. Has anybody tested both alternatives in production? Any thoughts?

Thanks,
Dan

Rsyslog can and does send lines from files, but if I recall correctly, they end up wrapped in syslog format. You wind up having to parse or extract it back out to save space.

1 Like

I would say it really is how you want to see it done,

If your really pushed for resources, having one agent (Filebeat or rsyslog) would save you megs and CPU cycles

If you crash rsyslog you put the risk of your system freezing. Once enough Kernel level logs queue up, your system will freeze till you recycle rsyslog

Honestly, I know that filebeat is what everyone is using but I personally install the full version of logstash and do all my parsing on the system with the log files. Sort of a distributed processing, rather then a central server. But I am processing a lot of data.

Other then that I could not think of any reason to use one over the other.

Rsyslogd crashing and the system freezing would certainly be a strong argument in favour of using filebeat (or logstash). Does that happen a lot, in your experience?

You mentioned you process a lot of data. Would you say that rsyslogd crashing is something that you've seen only with higher loads?

never did the imfile configurations, rsyslog is very stable though it does get frozen when file systems errors occur. Likee a disk going bad and becomes read only. Or something is wrong when the system comes up

In general, default settings on rsyslog is very stable. as you add more complexity so does the chance of "unavailability"

My gut feeling is that if you had an issue it probably the result of something else going wrong. Like Hardware failure or the application writing the logs run's away.

Well I could definitely live with the occasional system freeze caused by hardware failure and the like.

I'm thinking preferring rsyslog to the other solution for ease of deployment and configuration (it's already installed on all our servers). I think it offsets quite nicely the inconvenience of unpacking the data from the syslog format it gets sent in.

This topic was automatically closed after 21 days. New replies are no longer allowed.