I am investigating what to use to index application log files into elasticsearch.
===Use Case===
I have a miroservice developed using spring boot. Logging framework I use is logback.
Options to log application output are:
File -- Basic file appender
TCP Socket -- LogstashTcpSocketAppender
In the first use case, output is plain text (not json). My options here I assume are to use lightweight shipper such as FileBeats (handle multilines) and then output to logstash.
OR
Output in json format over tcp and have logstash listen on that port
input { tcp { codec => "json" port => 5000 } }
Am i barking up the wrong tree or is that my two options!?
I'd dump the logs to a local file in JSON format, then use Filebeat to ship that. I don't like shipping logs directly over the network since network or server outages could lead to either a blocked application or dropped logs.
This is the part I am not sure about.
The framework logstash encoder has an encoder called LoggingEventCompositeJsonEncoder that can provide greater flexibilty in the json format.
So I am thinking if I defined patterns at the logging level, do I really need to ship to logstash?
I understand your point about directly over the network. My colleague has mentioned that beats and/or logstash will have a retry mechanism in place for network failures. Is that true?
So I am thinking if I defined patterns at the logging level, do I really need to ship to logstash?
That depends on what kind of filtering you might want to do in Logstash, and if Elasticsearch is the only output you're interested in. There is no right or wrong here. It depends on your needs and preferences.
I understand your point about directly over the network. My colleague has mentioned that beats and/or logstash will have a retry mechanism in place for network failures. Is that true?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.