FileBeat是直接发送到ELS还是通过LogStash? [英] FileBeat directly to ELS or via LogStash?

问题描述

我们正在安装ELS和Kibana进行日志聚合/分析.第一个使用它的系统是未开发的系统，因此我们从构成系统的服务中输出结构化日志.鉴于我们不需要在日志中添加结构，我计划使用FileBeat将日志直接发送到ELS，而不使用LogStash.这是一个明智的选择，还是LogStash具有超出我们可能需要的解析能力的价值?如果我们确实使用LogStash，我可以用它来收获日志文件，还是应该仍然使用FileBeat将日志泵送到LogStash?

We are installing ELS and Kibana for log aggregation/analysis. The first system to use it is greenfield so we output structured logs from the services that make up our system. Given that we don't need to add structure to our logs I was planning on using FileBeat to ship the logs directly to ELS and not use LogStash. Is this a sensible option or does LogStash have value over and above parsing that we might need? If we do use LogStash can I use that to harvest log files or should I still use FileBeat to pump the logs to LogStash?

推荐答案

Logstash在需要聚合来自许多服务器的日志并对事件进行一些常见转换和过滤时非常有用.

Logstash is useful if you need to aggregate logs from many servers and apply some common transformations and filtering to your events.

如果您的日志事件已经结构化并且可以直接对其建立索引，那么您可以肯定让Filebeat将它们直接发送到ES.如果ES发生故障(例如出于维护目的)，Filebeat将重试，直到可以成功发送事件为止.

If your log events are already structured and you are ok with indexing them directly, then you can definitely have Filebeat send them directly to ES. If ES goes down (e.g. for maintenance), Filebeat will retry until it can successfully send the events.

这篇关于FileBeat是直接发送到ELS还是通过LogStash?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！