I have been going through a few tutorials on using beats to send data to elasticsearch.
I noticed that some tutorials prefer to use logstash as the output which then outputs to elasticsearch. Some other tutorials output directly to elasticsearch.
In the config /etc/packetbeat/packetbeat.yml that is:
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
Instead of:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
The outputs using the logstash output are doing so over the native lumberjack protocol. The receivers in those cases are likely running full logstash, with listeners on the lumberjack ports. Those logstash configs would be doing much more complex transformations than beats can do natively. The logstash nodes would then send the modified events into elasticsearch.
[ host ] -> [ beats ] --> [ logstash ] --> [ elasticsearch ]
The elasticsearch output will send it directly to elasticsearch with minimal changes.
[ host ] -> [ beats ] --> [ elasticsearch ]
