I am new to elasticsearch. We are currently migrating from Splunk to Elastic. When we setup splunk the best practice was to use a central syslog server and ingest all the different servers logs from one point. Does Elastic have a best practice concerning this? Does it make more sense to install Filebeat on every server and manage them individually or use rsyslog to forward them to one location and then ingest them?
Thanks
Hey @andywt123, welcome to discuss 
Good to see that you are giving a try to Filebeat
To make the most of Filebeat it is recommended to install it on every server, this way all the data collected can be better enriched with metadata only available locally on each server, and you can use different modules depending on the software installed on each one of the servers.
Although not recommended, if in your case it is not possible to install Filebeat in all your servers for any reason, you can still forward the logs to a machine and install Filebeat there for ingestion. Filebeat can also act as syslog server using the syslog input.
You can read more about enriching events with metadata here: https://www.elastic.co/guide/en/beats/filebeat/7.6/filtering-and-enhancing-data.html
For the available modules, take a look here: https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-modules.html
For the available inputs, here: https://www.elastic.co/guide/en/beats/filebeat/7.6/configuration-filebeat-options.html
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.