Recommendations for syslog ingestion?

We have many applications where we would like to ingest their log data into Elastic Stack; however, the log shipping mechanism is syslog (BSD, CEF, or RFC 5424). Our use case is SIEM & threat hunting.

Here are options I can think of:

  • Send the logs to a server running rsyslog or syslog-ng, then consume this data with Filebeat.
  • Send the logs to a Logstash server.

Are there other options? Of these options, which is the most recommended?

1 Like


just FYI, filebeat has a syslog input as well, so no need for a rsyslog/syslog-ng server. See

If you would like to start simple with as few components as possible, that might be the way to go.


My understanding is that filebeat only supports syslog RFC 3164 and not RFC 5424.

Sorry, I misread. You are right, you may want to ask the developers on that issue here

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.