I have a SIEM system that sends 10,000 events per second to Logstash over Syslog TCP.
It seems there is a bottleneck on logstash and i get only 1500 events per second.
Is there a nice solution for that?
14 giga RAM
100 giga Disk SSD
There answers to related questions here, here, and here. Basically you will need to find the bottleneck because nobody else has visibility into your system. The Monitoring APIs might help. I would start by replacing your outputs with a sink output and see how much time is being spent in each plugin in the pipeline. Then do the same with whatever output you are using. See if you can scale by adding threads.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.