On Mon, 10 Dec 2012 07:01:08 -0500 Brian Knox <[email protected]> wrote:
> I'm going to chime in here to say that between logstash and rsyslog, > logstash is the more experimental option. Rsyslog has been around for a > long time, is heavily used, and is the default logger in many distributions. > > Note like Radu, I am not slighting logstash with this statement, nor am I > saying "use rsyslog!" if you are comfortable with logstash and it meets > your needs! > > Brian > > > On Mon, Dec 10, 2012 at 6:55 AM, Radu Gheorghe <[email protected]>wrote: > > > Hi Ben, > > > > 2012/12/10 Ben Bradley <[email protected]> > > > > > > > > This is very interesting and I agree. The simpler the better. The thing I > > > like about logstash is that it outputs to ElasticSearch by default. > > > Replacing logstash and having rsyslog save to ElasticSearch seems a bit > > > more complicated and experimental. > > > > > > > Complicated? At this point I have to agree it's a bit more complicated, > > because you'd have to compile your own rsyslog. But that's probably going > > to get simpler soon - there's a lot of work in progress on the packaging > > front. So I would assume that in a few months you could get a recent stable > > rsyslog with omelasticsearch with a couple of commands. One of which would > > be "yum install..." or "apt-get install". > > > > If it's too complicated to get rsyslog+omelasticsearch on all your servers, > > you might want to consider having a "log collector" with that configuration > > - like you initially suggested with logstash. Then, you can migrate to > > having it on all the servers when doing that becomes less complicated. > > > > Experimental? I don't agree here. People are using this in production with > > loooots of logs. In terms of features it's really rich (for example, you > > can specify parent docs to your logs), as for performance - I can bet you'd > > be struggling to get an ES cluster that can handle the amount of logs a > > single rsyslog instance can process. > > > > Side note: I'm not trying to bash logstash here. I think it's a great piece > > of software. But I think you'd only really benefit from it if you'd use its > > good inputs/output log types support, or if you want to use regex parsing > > via grok. If you don't need that functionality and syslog will do, I think > > it's nice to have less moving pieces. Hi Brian and Radu Thanks for your replies. For the time being I think I will stick with logstash. I'm not familiar with it but it is up and running in my test environment. However I agree that getting rid of logstash from the will make sense on our log-term permanent solution. From what I've been readin,g rsyslog will certainly have no trouble handling our volume of logging, so that's great. I am currently installing rsyslog from this repo... http://rpms.adiscon.com/v7-stable/ So it is just a yum install away. A re-compile and re-configuration to go direct to ElasticSearch only has to be done on the central server anyway. But for the time being, until I've done some proper testing on using ElasticSearch directly from rsyslog, I think I'll stick with logstash. I've not fully figured out how we'll be processing our Apache logs and logstash gives us the ability to mess around with the logs to get them in a format we need. Thanks, Ben _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
