Hi. I would like to ask help regarding Logstash stats. I have configured Logstash to receive data from multiple data sources via syslog through designated ports. For example, I receive AD logs through port 5001 of Logstash, FW logs through port 5002 of Logstash, etc. When I check on Kibana, what I see is the total number of events I have received in Logstash. What I would like to do however, is I would like to see a graph or stats for each port I have configured in Logstash so that I would have an idea how much data are coming in for each data source.
I can potentially obtain the same from Elasticsearch but I think the Logstash stats provides a more accurate way of measuring the EPS.
Make sure all events get a field or tag that describes its source, like a port number or (preferable) some textual description indicating that it's from the firewall or whatever. Or just use the hostname found in the syslog messages themselves. You'll figure something out.
Once you have that you can easily filter the events in ES or Kibana or get aggregated stats per source.
I can potentially obtain the same from Elasticsearch but I think the Logstash stats provides a more accurate way of measuring the EPS.
Why would Logstash's count be more accurate? Anyway, Logstash only provides the current throughput and doesn't store any history so you'd want to use ES/Kibana anyway.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.