The setup is as follows:
- Syslog sends stuff to logstash
- logstash parses it to GELF
- logstash sends it to graylog
I know that Logstash uses elasticsearch and so do does graylog and in my setup, the elasticsearch servers are different from each other.
Here is the problem:
When I run logstash with this flag --backend 'elasticsearch:///?local' and send data to graylog I see those high amounts of data.
But since I know that all the data I'm requesting (aka. from graylog dashboard) is coming from the elasticsearch graylog uses, I decide to run the logstash jarfile without the elasticsearch setting.
After removing the above flag, the throughput count went down 10 fold.
Does anyone have any idea on why that might have happened?
The second I run logstash with the --backend 'elasticsearch:///?local' setting, the throughput count goes back to normal?
I am trying to figure out why that elasticsearch from logstash is relevant here? I have no need for the web interface for logstash, just the graylog dashboard.
Thanks
