I am looking at deploying ELK for some FreeBSD machines, and have reached the section of documentation suggesting I use Filebeat to get logs from source machines into Logstash. I immediately wondered whether I could use the built in centralised logging features of FreeBSD.
I don't mind the idea of grabbing Filebeat (and fingers crossed the upcoming port will be much nicer than a nightlies download), but if I can use built in features without it becoming an ELK-nightmare, that feels cleaner.
Thanks @ruflin, valid point. I guess I don't want to be beating a new path into strained interoperability between the components. I'm very new to ELK so want to do things as 'standard' as I can. On the other hand I also see value in using core tools from the operating system, or at least packages from its package management system.
sysmonk on IRC was helpful in doing some sanity checking for me, so I am feeling a bit more confident to experiment now, but still interested to hear about suggestions, gotchas or other advice.
It heavily depends on your setup. If you just run one server and you need Logstash, there is no need for filebeat and you can directly use Logstash. If you have several servers and a central Logstash instance, the small and lightweight filebeat instance on each server makes sense.
There is no "one solution fits all". Best is to let us know what your limitations are and your setup to give some better insights. But experimenting is probably in the end the best way to figure out what fits your environment best.
The past month has been enlightening. Filebeat is proving worthwhile, and although I might diverge at some point to something more native to FreeBSD, I'll stick with what works and is from the same source as the other parts of the new setup.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.