I am new to ELK stack and I was hoping someone could answer a short question regarding architecture. I'm exploring the possibility of shipping syslog from multiple servers (to start with in the tens) to elasticsearch. would one set up logstash on each node and have each node responsible for shipping the logs to elastic or would you set up a single central rsyslog server, collecting from the others that runs logstash and have that ship the logs?
Which way would you choose and why?