Beats: Comparison with Rsyslog

Created on 6 Jun 2017 · 1Comment · Source: elastic/beats

I am posting this discussion question here as I did not get any response from community(elastic & stackoverflow) and nobody can tell this better than you.

I am using filebeat to forward logs to logstash and then to elasticsearch.

I am thinking about using rsyslog for this purpose in place of filebeat. I can use TCP/UDP to send logs to logstash via rsyslog.
Also, I can send the logs in JSON format using JSON template in rsyslog. The JSON format is easy to parse for logstash and also filtering will be easy. Moreover, I would no longer need to install and configure filebeat on all the servers.

I want to ask what are drawbacks and benefits of using rsyslog over filebeat, in terms of performance, reliability and ease ?

question

Source

luvpreetsingh

Most helpful comment

The Beats protocol offers encryption, offers at-least-once guarantees, and is sensitive to back pressure. This means Filebeat can't overload Logstash/Elasticsearch by mistake, it will automatically slow down the sending rate, without dropping any messages. This is not possible with UDP and can be difficult to achieve with TCP. That said, the rsyslog -> Logstash combination might be the right one for you if you are fine with dropping messages occasionally.

We do prefer this type of questions on https://discuss.elastic.co/c/beats Can we continue the discussion there, please?