Which architecture is better? Should I collect the logs on the server side using rsyslog?

I am trying to understand which architecture is better for me. I have a few hundreds of instances that I want to send their logs to one central server.
Should I got with A (run rsyslog on the central server to collect the logs and pass them into logstash) OR should I go with B (all logs will go directly into logstash from the rsyslog clients)?

If you have any other tips about my architecture, I would love to hear.

Thanks.

BTW- I rather not use Beats, because I already have rsyslog installed

@Sagimb

Topology B reduces the number of integration points therefore reducing the overall number of failure points.

The less moving parts the better, so if Logstash Input can reduce your need for extra hardware, network hops and bandwidth and skill set required, the better!

Sticking with something because it is familiar is the road to disaster if newer better ways of solving something is present.

I also think many user cases will present themselves with Beats and Fleet Managed agents that Topology B will be the basis to future proof your solution

Thank you.

I'll stick with topology B, but i'll want to change the communication port between the rsyslog clients and the logstash to be 514.
Can I do that without running logstash as root? Will it be able to listen to port 514?

@Sagimb

You can change the tcp port in the Input settings. The port configuration is configured via the logstash input module, so you shouldn't have problems with running it under the current account you are using.

1 Like