I'm using Envoy, which is kind of similar to Nginx, as the gateway of my micro-services backend.
Since it's micro-service, there are five Envoys. All of envoys are deployed by Docker and their logs are sent to my Logstash with the Docker log driver syslog
. For now, I used udp to send the logs of the Envoys.
It seems that everything works fine. But I have issues about what I've done.
- What if udp loses some logs? For now it seems that nothing has been lost but what if some logs lost? If I worry about this issue, does it mean that I have to choose tcp, instead of udp?
- What if there are too many logs to receive? My Logstash needs to receive logs and write them into a local log file. If there are too many logs (let's say I have ten Envoys so more logs would be sent to Logstash), is it possible that Logstash can't hold all of logs? In this case, what will Logstash do? Will it notice some error or warning log to tell me that it's losing logs? Is there some solution to solve the issue? Does Logstash provide some mechanism of cluster deployment to be able to receive more logs?