Filebeat vs Rsyslog for forwarding logs

Question

I am currently using filebeat to forward logs to logstash and then to elasticsearch.

Now, I am thinking about forwarding logs by rsyslog to logstash. The benefit of this would be that, I would not need to install and configure filebeat on every server, and also I can forward logs in JSON format which is easy to parse and filter.

I can use TCP/UDP to forward logs to logstash by rsyslog.

I want to know the more benefits and drawbacks of rsyslog over filebeat, in terms of performance, reliability and ease of use.

You can use rsyslog to ship directly to Elasticsearch: https://sematext.com/blog/2015/10/05/recipe-apache-logs-rsyslog-parsing-elasticsearch/ — Radu Gheorghe, Jun 13 '17 at 18:56

score 8 · Accepted Answer · answered Jun 06 '17 at 20:08

When you couple Beats with Logstash you have something called "back pressure management" - Beats will stop flooding the Logstash server with messages in case something goes wrong on the network, for instance.

Another advantage of using Beats is that in Logstash you can have persisted queues, which prevents you from losing log messages in case your elasticsearch cluster goes down. So Logstash will persist messages on disk. Be careful because Logstash can't ensure you wont lose messages if you are using UDP, this link will be helpful.

score 2 · Answer 2 · answered Feb 24 '19 at 22:15

2

Rsyslog has In-Memory, disk Queues. That should takes care of buffering messages.

Rsyslog queue-modes

answered Feb 24 '19 at 22:15

JBB

105
6

Filebeat vs Rsyslog for forwarding logs

2 Answers2