I'm going to chime in here to say that between logstash and rsyslog, logstash is the more experimental option. Rsyslog has been around for a long time, is heavily used, and is the default logger in many distributions.
Note like Radu, I am not slighting logstash with this statement, nor am I saying "use rsyslog!" if you are comfortable with logstash and it meets your needs! Brian On Mon, Dec 10, 2012 at 6:55 AM, Radu Gheorghe <[email protected]>wrote: > Hi Ben, > > 2012/12/10 Ben Bradley <[email protected]> > > > > > This is very interesting and I agree. The simpler the better. The thing I > > like about logstash is that it outputs to ElasticSearch by default. > > Replacing logstash and having rsyslog save to ElasticSearch seems a bit > > more complicated and experimental. > > > > Complicated? At this point I have to agree it's a bit more complicated, > because you'd have to compile your own rsyslog. But that's probably going > to get simpler soon - there's a lot of work in progress on the packaging > front. So I would assume that in a few months you could get a recent stable > rsyslog with omelasticsearch with a couple of commands. One of which would > be "yum install..." or "apt-get install". > > If it's too complicated to get rsyslog+omelasticsearch on all your servers, > you might want to consider having a "log collector" with that configuration > - like you initially suggested with logstash. Then, you can migrate to > having it on all the servers when doing that becomes less complicated. > > Experimental? I don't agree here. People are using this in production with > loooots of logs. In terms of features it's really rich (for example, you > can specify parent docs to your logs), as for performance - I can bet you'd > be struggling to get an ES cluster that can handle the amount of logs a > single rsyslog instance can process. > > Side note: I'm not trying to bash logstash here. I think it's a great piece > of software. But I think you'd only really benefit from it if you'd use its > good inputs/output log types support, or if you want to use regex parsing > via grok. If you don't need that functionality and syslog will do, I think > it's nice to have less moving pieces. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
