Filebeat vs Rsyslog for forwarding logs

Asked 6/6, 2017 at 10:46 Answered 24/2, 2019 at 22:15

Solved elasticsearch logstash rsyslog filebeat

I am currently using filebeat to forward logs to logstash and then to elasticsearch.

Now, I am thinking about forwarding logs by rsyslog to logstash. The benefit of this would be that, I would not need to install and configure filebeat on every server, and also I can forward logs in JSON format which is easy to parse and filter.

I can use TCP/UDP to forward logs to logstash by rsyslog.

I want to know the more benefits and drawbacks of rsyslog over filebeat, in terms of performance, reliability and ease of use.

Nomadic answered 6/6, 2017 at 10:46 Comment(2)

You can use rsyslog to ship directly to Elasticsearch: sematext.com/blog/2015/10/05/… – Calcify 13/6, 2017 at 18:56

Indeed I am doing that now. – Nomadic 14/6, 2017 at 5:33

When you couple Beats with Logstash you have something called "back pressure management" - Beats will stop flooding the Logstash server with messages in case something goes wrong on the network, for instance.

Another advantage of using Beats is that in Logstash you can have persisted queues, which prevents you from losing log messages in case your elasticsearch cluster goes down. So Logstash will persist messages on disk. Be careful because Logstash can't ensure you wont lose messages if you are using UDP, this link will be helpful.

Seamanship answered 6/6, 2017 at 20:8 Comment(0)

Rsyslog has In-Memory, disk Queues. That should takes care of buffering messages.

Rsyslog queue-modes

Auster answered 24/2, 2019 at 22:15 Comment(0)

Recommended topics

Hot tags