Hi friends,
I have a SIEM system that sends 10,000 events per second to Logstash over Syslog TCP.
It seems there is a bottleneck on logstash and i get only 1500 events per second.
Is there a nice solution for that?
Additional data,
Server hardware:
14 giga RAM
10 cpu
100 giga Disk SSD
Ubuntu OS
There answers to related questions here, here, and here. Basically you will need to find the bottleneck because nobody else has visibility into your system. The Monitoring APIs might help. I would start by replacing your outputs with a sink output and see how much time is being spent in each plugin in the pipeline. Then do the same with whatever output you are using. See if you can scale by adding threads.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.