I am using Filebeat to send logs to logstash and then to elasticsearch.
But now, I am thinking of sending the logs to a single rsyslog-server(over UDP/TCP) and then to logstash to elasticsearch. By this way, I will not need to install filebeat on my servers.
Moreover, I can send data in JSON format, which is pretty easy to filter.
I want to ask which will be better, rsyslog OR filebeat for this purpose, in terms of performance, overhead and reliability ?
Please guide me in the right direction.
When you couple Beats with Logstash you have something called "back pressure management" - Beats will stop flooding the Logstash server with messages in case something goes wrong on the network, for instance.
Another advantage of using Beats is that in Logstash you can have persisted queues, which prevents you from losing log messages in case your elasticsearch cluster goes down. So Logstash will persist messages on disk. Be careful because Logstash can't ensure you wont lose messages if you are using UDP, this link might be helpful: https://www.elastic.co/guide/en/logstash/current/persistent-queues.html
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.