Logback TCP Appender Vs Filebeat structured logging

baldur · August 21, 2017, 10:33pm

Hi all,
I use Elastic Stack to centralize logs from Java web applications. Logs are based on Sfl4j+Logback so I've used Logback JSON encoder. I've setup two possible solutions:

LogstashTcpSocketAppender: messages are directly shipped to Logstash (without Filebeat)
FileAppender to output JSON structured messages: Filebeat parses json log files and sends them to Logstash. In this case, Logstash needs an aditional filter to parse json objects.

The first option seems to be simpler but the second option allows offline parsing. What's the best practice in this scenario?

Thanks very much

magnusbaeck · August 23, 2017, 8:50pm

I suggest you don't make your application dependent on shipping stuff over the network for logging. Keep things simple and let the application just write the logs to disk.

Filebeat parses json log files and sends them to Logstash. In this case, Logstash needs an aditional filter to parse json objects.

Or you let Filebeat parse the JSON. Or let Logstash do it via a json codec in the beats input.

baldur · August 24, 2017, 8:41pm

OK Magnus, I really appreciate your quick response

Topic		Replies	Views
Indexing application log files to elasticsearch Logstash	7	2191	July 6, 2017
Logstash forwarder vs. logback json encoder Logstash	3	1971	July 6, 2017
Filebeat vs log4j TCP vs logstash as a shipper Beats	2	3195	January 3, 2017
Send JSON formatted logs directly to elasticsearch Elasticsearch	5	9758	April 4, 2017
Dec 10th, 2017: [DE][ElasticStack] Zentrale Applikations-Logs mit dem Elastic Stack Advent Calendar	3	1914	August 23, 2018

Logback TCP Appender Vs Filebeat structured logging

Related topics