Why do people ship logs to Logstash with NXLog and not Logstash itself?

Vagif Abilov picture Vagif Abilov · Sep 5, 2014 · Viewed 9.9k times · Source

I read a blog post about setting up Logstash, Elasticsearch and Kibana, and the author suggested to use NXLog to ship logs from different machines. A typical distributed scenario presented in "The Logstash Book" shows how Logstash can be used in both shipping and indexing role. We are currently experimenting with Logstash and setting up it to ship logs to Elasticsearch was straighforward. So I wonder why people choose NXLog as a log shipper to Logstash instead of using Logstash on both ends.

Answer

rutter picture rutter · Sep 5, 2014

The logstash-forwarder project, formerly known as "Lumberjack", explains it like so:

Resource Usage Concerns

Perceived Problems: Some users view logstash releases as "large" or have a generalized fear of Java.

Actual Problems: Logstash, for right now, runs with a footprint that is not friendly to underprovisioned systems such as EC2 micro instances; on other systems it is fine. This project will exist until that is resolved.

Transport Problems

Few log transport mechanisms provide security, low latency, and reliability.

The lumberjack protocol used by this project exists to provide a network protocol for transmission that is secure, low latency, low resource usage, and reliable.

A Logstash shipper instance isn't especially heavyweight, but if your machine only has 1-2GB of RAM it can be hard to casually allocate several hundred MB to another JVM instance.

Another consideration: what if your shipper nodes are running an OS that isn't supported by Logstash? Logstash can run on Windows, now, but it's still on the buggy side of things. I can't specifically vouch for NXLog in that area, but I gather it's a popular choice.