Newb rsyslogd vs logstash question

Please clear the topic of whether to use rsyslog or logstash itself as the syslog receiver.

This thread (https://github.com/elastic/logstash/issues/2965) implies that using ryslog has a great benefit over logstash as a syslog server. They say "You can bypass all of the syslog-level grok grief by using Rsyslog to output JSON formatted text to a TCP port, which Logstash can ingest. "

Let's use Cisco ASA syslog, for example. Is it better to syslog to rsyslog or direct to a logstash udp/tcp port? Why? Does the logstash direct route require a bunch of grok configs that rsyslog route does not?

As a side question, it's getting clearer that I need specific config sections for each syslog type I accept. I would expect that in 2019, there would be a website that lists the configs needed for various syslog inputs. Eg. here is a sample config for a Cisco ASA, here is one for a Fortinet Firewall, here is one for a Sonicwall, for a Checkpoint, etc. Every config i have found is 4+ years old. Does such a site exist or is everyone just scraping it together as they go?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.