Logstash + Syslog Input Plugin VS Logstash + File Input Plugin + Syslog server

Question

I have an existing system that sends me log entries to my server via Syslog protocol. The log entries are written into local files, and then I process these log files with Logstash using its File input plugin. I like it because even if the Logstash goes down (it happens sometimes), I do not lose any log.

I have just realized today that the Logstash also has a Syslog input plugin that is capable of reading log data on the Syslog protocol.

I am wondering if I turn off my Syslog server, and read the data via the Syslog input plugin of the Logstash, will I have the same reliable system, or If the Logstash goes down, I will lose data during the downtime?

score 0 · Accepted Answer · answered Feb 15 '19 at 11:34

If Logstash goes down you will lose data during the downtime.

Also, the syslog input only works if the messages from your logs are in compliance with the RFC3164, anything different and you will need a grok pattern to parse that message.

If you don't want to use the file input anymore you can create a rule on your syslog server to redirect the messages to your logstash input, in this case, if your logstash goes down, you will still have the files to fill the missing data.

Logstash + Syslog Input Plugin VS Logstash + File Input Plugin + Syslog server

1 Answers1