12

I am current investigating the possibility to consolidate logs from multiple servers using logstash (or graylog2).

I am still a bit confused about the difference logstash and graylog. So far I appreciated the ease of use of logstash, but I would be interested in hearing the experience from other people.

Futhermore, it appears that logstash can get Windows event logs. Is there any incentive to use nxLog or snare instead? Many people are reporting using nxlog to forward events to a distant logstash instance. Is it the recommended way?

For the time being we would like to consolidate from multiple boxes:

  • windows event logs
  • Third party csv file

Thanks in advance for any feedback.

E. Jaep
  • 283
  • 1
  • 3
  • 12

1 Answers1

18

Logstash and Graylog are very similar pieces of software. They're both designed to take log data over the network and store it in ElasticSearch where it can be picked up by a web interface later. Graylog2 is designed to have sensible out-of-the-box defaults for most people, while Logstash is designed to be highly programmable, and the latest minor version (1.2) includes a reasonably featureful configuration language with full support for conditionals, like nxlog has on the client side.

In terms of web interfaces, Logstash generally uses Kibana, while Graylog2 ships with its own web interface. My recommendation is to try both out and see which you like more. Graylog2 needs less tinkering, but Kibana is absurdly more powerful in terms of what you can do with custom reporting dashboards.

The eventlog input is intended to be run locally from a Logstash agent installed on the Windows host that you want to collect logs on. Since the Logstash agent is written in Java, and the JVM can tie up a huge amount of memory, you probably don't want it hanging out unless you have a pile of memory floating around on your systems. nxlog is a lot leaner and does a great job pulling Windows Event Log data and forwarding it to Logstash using JSON or GELF. Its configuration syntax is also a lot more robust and full-featured than Logstash's, so you might find it easier to do complex things with your event logs before you forward them, like filtering out noisy logs before they ever get to the server.

Logstash has a CSV filter, so your best bet there is just to submit raw log data to the Logstash server over a TCP or UDP socket and let it figure the data out. nxlog might have functionality to do something similar, but I've never looked for it.

jgoldschrafe
  • 4,385
  • 17
  • 18