Implementation question: Central syslog server vs filebeat on each machine

I am new to elasticsearch. We are currently migrating from Splunk to Elastic. When we setup splunk the best practice was to use a central syslog server and ingest all the different servers logs from one point. Does Elastic have a best practice concerning this? Does it make more sense to install Filebeat on every server and manage them individually or use rsyslog to forward them to one location and then ingest them?


Hey @andywt123, welcome to discuss :slightly_smiling_face:

Good to see that you are giving a try to Filebeat :slightly_smiling_face:

To make the most of Filebeat it is recommended to install it on every server, this way all the data collected can be better enriched with metadata only available locally on each server, and you can use different modules depending on the software installed on each one of the servers.

Although not recommended, if in your case it is not possible to install Filebeat in all your servers for any reason, you can still forward the logs to a machine and install Filebeat there for ingestion. Filebeat can also act as syslog server using the syslog input.

You can read more about enriching events with metadata here:
For the available modules, take a look here:
For the available inputs, here:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.