Using Elasticsearch or Logstash output?ElasticSearch Multiple Indexes and RoutingElasticsearch dies when Logstash attempts to write dataLogstash tcp input not passed to elasticsearchlogstash doesn't create index in elasticsearchLogstash/elasticsearch stops accepting new dataBacking Up Old Indices in ElasticsearchElasticsearch Cluster ConfigurationLogstash filtering syslog by host group?Logstash's ElasticSearch Input Plugin should be used to output to ElasticSearchLogstash isn't accepting the self signed certificates and throws a sslv3 alert handshake failure
Savage Road Signs
How to use the word seem
How do I type a hyphen in iOS 12?
Realistic, logical way for men with medieval-era weaponry to compete with much larger and physically stronger foes
What would the consequences be of a high number of solar systems being within close proximity to one another?
Professor Roman loves to teach unorthodox Chemistry
Should I be able to use the Gloom Stalker ranger's Dread Ambusher class feature when attacking before initiative has been rolled to add a d8 damage?
Why is it bad to use your whole foot in rock climbing
How does AFV select the winning videos?
Why is my power MOSFET heating up when on?
Mathematica 12 has gotten worse at solving simple equations?
What is the STRONGEST end-of-line knot to use if you want to use a steel-thimble at the end, so that you've got a steel-eyelet at the end of the line?
Why do the TIE Fighter pilot helmets have similar ridges as the rebels?
Oil draining out shortly after turbo hose detached/broke
How to make a composition of functions prettier?
Entered UK using my now-lost UK passport; can I go to Spain using my US passport?
What did the 8086 (and 8088) do upon encountering an illegal instruction?
Quasar Redshifts
Recording Spectral Lines at Home
Was self-modifying code possible using BASIC?
What do I need to do, tax-wise, for a sudden windfall?
Forgot passport for Alaska cruise (Anchorage to Vancouver)
A life of PhD: is it feasible?
Is all-caps blackletter no longer taboo?
Using Elasticsearch or Logstash output?
ElasticSearch Multiple Indexes and RoutingElasticsearch dies when Logstash attempts to write dataLogstash tcp input not passed to elasticsearchlogstash doesn't create index in elasticsearchLogstash/elasticsearch stops accepting new dataBacking Up Old Indices in ElasticsearchElasticsearch Cluster ConfigurationLogstash filtering syslog by host group?Logstash's ElasticSearch Input Plugin should be used to output to ElasticSearchLogstash isn't accepting the self signed certificates and throws a sslv3 alert handshake failure
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have been going through a few tutorials on using beats to send data to elasticsearch.
I noticed that some tutorials prefer to use logstash as the output which then outputs to elasticsearch. Some other tutorials output directly to elasticsearch.
In the config /etc/packetbeat/packetbeat.yml that is:
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
Instead of:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
elasticsearch logstash elk
asked May 28 at 7:35
KrauserKrauser
1781217
add a comment |
I have been going through a few tutorials on using beats to send data to elasticsearch.
I noticed that some tutorials prefer to use logstash as the output which then outputs to elasticsearch. Some other tutorials output directly to elasticsearch.
In the config /etc/packetbeat/packetbeat.yml that is:
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
Instead of:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
elasticsearch logstash elk
asked May 28 at 7:35
KrauserKrauser
1781217
add a comment |
I have been going through a few tutorials on using beats to send data to elasticsearch.
I noticed that some tutorials prefer to use logstash as the output which then outputs to elasticsearch. Some other tutorials output directly to elasticsearch.
In the config /etc/packetbeat/packetbeat.yml that is:
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
Instead of:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
elasticsearch logstash elk
asked May 28 at 7:35
KrauserKrauser
1781217
I have been going through a few tutorials on using beats to send data to elasticsearch.
I noticed that some tutorials prefer to use logstash as the output which then outputs to elasticsearch. Some other tutorials output directly to elasticsearch.
In the config /etc/packetbeat/packetbeat.yml that is:
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
Instead of:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
elasticsearch logstash elk
elasticsearch logstash elk
asked May 28 at 7:35
KrauserKrauser
1781217
asked May 28 at 7:35
KrauserKrauser
1781217
asked May 28 at 7:35
KrauserKrauser
1781217
asked May 28 at 7:35
KrauserKrauser
1781217
asked May 28 at 7:35
KrauserKrauser
1781217
1781217
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The outputs using the logstash output are doing so over the native lumberjack protocol. The receivers in those cases are likely running full logstash, with listeners on the lumberjack ports. Those logstash configs would be doing much more complex transformations than beats can do natively. The logstash nodes would then send the modified events into elasticsearch.
[ host ] -> [ beats ] --> [ logstash ] --> [ elasticsearch ]
The elasticsearch output will send it directly to elasticsearch with minimal changes.
[ host ] -> [ beats ] --> [ elasticsearch ]
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969083%2fusing-elasticsearch-or-logstash-output%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The outputs using the logstash output are doing so over the native lumberjack protocol. The receivers in those cases are likely running full logstash, with listeners on the lumberjack ports. Those logstash configs would be doing much more complex transformations than beats can do natively. The logstash nodes would then send the modified events into elasticsearch.
[ host ] -> [ beats ] --> [ logstash ] --> [ elasticsearch ]
The elasticsearch output will send it directly to elasticsearch with minimal changes.
[ host ] -> [ beats ] --> [ elasticsearch ]
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
add a comment |
The outputs using the logstash output are doing so over the native lumberjack protocol. The receivers in those cases are likely running full logstash, with listeners on the lumberjack ports. Those logstash configs would be doing much more complex transformations than beats can do natively. The logstash nodes would then send the modified events into elasticsearch.
[ host ] -> [ beats ] --> [ logstash ] --> [ elasticsearch ]
The elasticsearch output will send it directly to elasticsearch with minimal changes.
[ host ] -> [ beats ] --> [ elasticsearch ]
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
add a comment |
The outputs using the logstash output are doing so over the native lumberjack protocol. The receivers in those cases are likely running full logstash, with listeners on the lumberjack ports. Those logstash configs would be doing much more complex transformations than beats can do natively. The logstash nodes would then send the modified events into elasticsearch.
[ host ] -> [ beats ] --> [ logstash ] --> [ elasticsearch ]
The elasticsearch output will send it directly to elasticsearch with minimal changes.
[ host ] -> [ beats ] --> [ elasticsearch ]
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
The outputs using the logstash output are doing so over the native lumberjack protocol. The receivers in those cases are likely running full logstash, with listeners on the lumberjack ports. Those logstash configs would be doing much more complex transformations than beats can do natively. The logstash nodes would then send the modified events into elasticsearch.
[ host ] -> [ beats ] --> [ logstash ] --> [ elasticsearch ]
The elasticsearch output will send it directly to elasticsearch with minimal changes.
[ host ] -> [ beats ] --> [ elasticsearch ]
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
answered May 28 at 23:56
sysadmin1138♦sysadmin1138
118k17148282
118k17148282
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969083%2fusing-elasticsearch-or-logstash-output%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
