Hello,
Last year I found that Logstash doesn't perform load balancing between inputs and 'prefer' inputs that doesn't have pushback mechanism or that pushback is not relevant for them (like syslog input)
I'm thinking about pointing all of my FileBeat army, around 40 instances) to ship json-line formatted logs directly to our ES cluster using FileBeat's ES output.
Existing Logstash instances will still process logs that can't be shipped directly to ES.
The root cause is that there's a lot of contention on our Logstash instances which i'd like to minimize.
Can anyone comment on her/his experience with pointing FileBeat directly at ES cluster?
It is mentioned here that FileBeat specifically ignore the max_retries configuration option.
On one hand, its good that it'll keep trying to ship an event if ES returns a failure response.
On the other hand, what if the failed event has incorrect structure that doesn't match the index mapping? will it still try to ship the broken event or it will fail on the ES side with an error logged to file?
Are you using JSON logs to be sent to elasticserach or just the basic default content? If the second, I would not expect any events that don't match the mapping. What is the structure of your event?
My logs are formatted as valid Json(one per line) and the filter in Logstash that handles those events only renames some fields(Today I implemented the rename operation in our application so the filter is actually redundant).
The index template on the ES side has relevant mapping to facilitate the events I'm going to shoot at it).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
