----- Original Message ----- > From: "David Lang" <[email protected]> > To: "rsyslog-users" <[email protected]> > Sent: Tuesday, April 8, 2014 2:53:24 PM > Subject: Re: [rsyslog] Rsyslog w/ logstash-elasticsearch-kibana server > > On Tue, 8 Apr 2014, Rick Brown wrote: > > > Today I've setup my central rsyslog server to replay the logs via > > omudpspoof > > to a logstash server -> ES. It's already indexing about twice as > > much as just > > rsyslog -> ES was using the recipe in the first link below, and I > > haven't even > > begun to dig into the scads of plugins available for logstash. > > Interesting, a couple of questions > > 1. why did you need udpspoof
I didn't necessarily need udpspoof, but I already had it setup to send to mcafee SIEM product, so it was easy to add another spoof - and I wasn't quite sure how well logstash would handle forwarded message that weren't spoofed. > 2. you say that you are getting logs into ES faster rsyslog -> > logstash -> ES > than you were rsyslog -> ES, this is surprising. This is something > that it > sounds like we should dig into, rsyslog -> ES should be faster. > > Is there any way we can recreate the rsyslog -> ES setup to find the > bottleneck? Actually, I think rsyslog -> ES would be faster, although I was initially running elasticsearch on the same machine as my central rsyslog server, and the ES indexes were going to a single local disk, which was definitely a bottleneck.. but that's not what made me look at logstash.. I was wanting a quick way to get more fields indexed, and logstash has a whole bunch of plugins already out in the user contributed package. Following the rsyslog->ES recipe yielded 9 fields indexed, rsyslog->logstash->ES yielded 35. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT. > -- Rick Brown Office of Information Technology Georgia Institute of Technology 258 4th Street N.W. Atlanta, GA 30332-0715 email: [email protected] ph: (404) 894-6175 Calendar: https://mail.gatech.edu/home/[email protected]?fmt=freebusy _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
