I'm in troubles using ELK stack for analysing my Apache's logs.
Is it better to parse them with Filebeat using the Apache's module directly shipping to Elasticsearch ?
Or it's better to use grok plugin from Logstash for the Apache's log ?
Which way is the best and why ?
Hi @Paul_ALTEN and welcome 
I'd recommend you to use Filebeat module for Apache, shipping directly to Elasticsearch. The filebeat module includes an ingest pipeline with everything needed to parse Apache logs, this pipeline makes use of the grok ingest processor in Elasticsearch, that is very similar to the Logstash one you mention.
Why is it better? With this option you don't need to maintain Logstash as an additional piece in your infrastructure, and you don't need to implement your own pipeline to parse logs, because it is already provided by the Filebeat module.
You can convert the elasticsearch ingest pipelines to logstash format: https://www.elastic.co/guide/en/logstash/7.2/ingest-converter.html
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.