we are evaluating ES Stack at our company and one of the questions that came up was:
while filebeat is a lightweight log shipper, what are the benefits over just pointing syslog to logstash server?
One of our requirements is to keep the prod servers as lean as possible (adding a specific client to all our servers involve a change request, meetings, and endless etc.)
Since I don't have an answer to that I asking for advice to you all.
If you send your data to LS through syslog you can either use TCP or UDP. With udp you risk loosing log lines. With TCP I don't know what syslog will do in case the connection is lost / blocked / ... Will it continue receiving log lines or write them into a cache or block your application from add more log lines?
Writing logs to file has the advantage of fast and simple local persistent cache. Here is where filebeat comes in: It picks up these files and can then send them to Logstash on its "own" speed. Also in case of a failure filebeat has the at least once guarantee, means it will pick up reading the log files where it last stopped.
It would also be interesting to know how critical it is that each log line is sent. If UDP is enough, I think syslog input would work quite well.
Just some thoughts / inputs, not really an answer yet, but I hope this brings you one step closer to it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.