Hi Ben, 2012/12/10 Ben Bradley <[email protected]>
> > This is very interesting and I agree. The simpler the better. The thing I > like about logstash is that it outputs to ElasticSearch by default. > Replacing logstash and having rsyslog save to ElasticSearch seems a bit > more complicated and experimental. > Complicated? At this point I have to agree it's a bit more complicated, because you'd have to compile your own rsyslog. But that's probably going to get simpler soon - there's a lot of work in progress on the packaging front. So I would assume that in a few months you could get a recent stable rsyslog with omelasticsearch with a couple of commands. One of which would be "yum install..." or "apt-get install". If it's too complicated to get rsyslog+omelasticsearch on all your servers, you might want to consider having a "log collector" with that configuration - like you initially suggested with logstash. Then, you can migrate to having it on all the servers when doing that becomes less complicated. Experimental? I don't agree here. People are using this in production with loooots of logs. In terms of features it's really rich (for example, you can specify parent docs to your logs), as for performance - I can bet you'd be struggling to get an ES cluster that can handle the amount of logs a single rsyslog instance can process. Side note: I'm not trying to bash logstash here. I think it's a great piece of software. But I think you'd only really benefit from it if you'd use its good inputs/output log types support, or if you want to use regex parsing via grok. If you don't need that functionality and syslog will do, I think it's nice to have less moving pieces. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
