TrustRadius: an HG Insights company

Logstash

Score9 out of 10

20 Reviews and Ratings

Get a Demo

What is Logstash?

Categories & Use Cases

Reviews

What users are saying about Logstash.
View all reviews

Perfect choice for big datacenters

Asad KhanView profile
Systems Solution Architect in Engineering at Ericsson (10,001+ employees employees)

Use Cases and Deployment Scope

Logstash is a part of the ELK stack in the private Telcocloud datacenter I used in Nokia. The Telco datacenter infrastructure has a lot of logs to be analyzed, and Logstash acts as a log shipper on the Opensatck-based infrastructure. It helped collect logs from various sources and then processed them in the required format to be displayed on Kibana for analysis & Grafana for visulisation for graphs

Pros

  • Supports unstructured log data into searchable fields
  • Wide integration with almost any data source and backend
  • Powerful searchable fields, including unstructured log data
  • Supports various formats like JSON, CSV, XML, key-value, etc

Cons

  • It is heavy i.e., intensive as of now. Need to reduce overhead to save CPU/RAM consumption
  • Need to be more Kubernetes-friendly. Should support auto-scaling and K8s observability
  • Initial configuration is still complex. A seamless config procedure is still required

Return on Investment

  • It is very difficult to give any figures on ROI, as it depends on many factors, and in a Telcocloud environment, it is much complex to find out; however, I would give some points below on ROI
  • ROI based on flexibility is very high, as it reduces the time to find RCA
  • ROI based on integration is very high because it supports multi-vendor environments, avoiding vendor lock-in & works across multi-cloud setups
  • ROI on resource consumption is less because Logstash in 2-3 times more resource-intensive as compared to its lightweight alternatives resulting in latency

Usability

Alternatives Considered

Enterprise Fluentd, fluentbit and Apache Kafka

Logstash is the best for ELK stacks!

Incentivized
Rahul ChaudharyView profile
Senior Software Engineer in Information Technology at Capital One (10,001+ employees employees)

Pros

  • Logstash design is definitely perfect for the use case of ELK. Logstash has "drivers" using which it can inject from virtually any source. This takes the headache from source to implement those "drivers" to store data to ES.
  • Logstash is fast, very fast. As per my observance, you don't need more than 1 or 2 servers for even big size projects.
  • Data in different shape, size, and formats? No worries, Logstash can handle it. It lets you write simple rules to programmatically take decisions real-time on data.
  • You can change your data on the fly! This is the CORE power of Logstash. The concept is similar to Kafka streams, the difference being the source and destination are application and ES respectively.

Cons

  • Logstash is all command line, and it can become overwhelming for new developers. If it has any sort of UI, then I don't know about it.
  • Documentation could have been better. But this is a work in progress, and with time I am sure community will help with documentation.
  • Community support! Being a relatively new tool, the adoption is still mature, and finding answers can be challenging sometimes.

Return on Investment

  • Positive: Learning curve was relatively easy for our team. We were up and running within a sprint.
  • Positive: Managing Logstash has generally been easy. We configure it, and usually, don't have to worry about misbehavior.
  • Negative: Updating/Rehydrating Logstash servers have been little challenging. We sometimes even loose data while Logstash is down. It requires more in-depth research and experiments to figure the fine-grained details.
  • Negative: This is now one more application/skill/server to manage. Like any other servers, it requires proper grooming or else you will get in trouble. This is also a single point of failure which can have the ability to make other servers useless if it is not running.

Alternatives Considered

Apache Kafka

Useful Self-Hosted ETL tool for Event Driven Applications

Incentivized
Jordan MooreView profile
Staff Consultant in Information Technology at Avalon Consulting, LLC (51-200 employees employees)

Pros

  • Plugin ecosystem allows modular extensions.
  • Tight integration into the Elastic.com products of Beats and Elasticsearch, so minimal setup is required when using those tools.
  • Filter plugins are powerful for extracting and enriching input data.

Cons

  • Since it's a Java product, JVM tuning must be done for handling high-load.
  • The persistent queue feature is nice, but I feel like most companies would want to use Kafka as a general storage location for persistent messages for all consumers to use. Using some pipeline of "Kafka input -> filter plugins -> Kafka output" seems like a good solution for data enrichment without needing to maintain a custom Kafka consumer to accomplish a similar feature.
  • I would like to see more documentation around creating a distributed Logstash cluster because I imagine for high ingestion use cases, that would be necessary.

Return on Investment

  • Logstash has allowed me to ingest log files of various patterns into Elasticsearch for analysis using its flexible Grok parser.
  • I've been able to perform web analytics over datasets using Logstash's GeoIP and reverse DNS lookups.
  • By providing a simple mechanism for adding plugins, Logstash has allowed me to install extensions on top of those already pre-installed.

Alternatives Considered

Apache Kafka, Apache Flume, Apache Spark, Enterprise Fluentd and PaperTrail

LogStash: A great way to spend your Time getting to know ELK and Logging in general

Incentivized
Verified User
Engineer in Corporate (1-10 employees employees)

Pros

  • Modern: most Admin, Server and/or DevtyOps-Centric software worth it's salt will have the ability to configure it's services and features from a small webpage and REST API. Logstash is no exception
  • Speed: Logstash configuration is just a reload away. While you CAN use the gui (see point above), editing the configuration files directly is also a great option. Our configuration files are hosted on an internal Repository, that once we make a change, we and track them as we do a reload, and those changes are reflected in Logstash almost immediately (dependent on the Data Source's speed and flow of Data)
  • Configuration: Logstash is very simple to configure, and fulfills our desire to keep configuration files in a plantext format.
  • OpenSource friendly: Logstash is opensource, and built with open source tools

Cons

  • Memory: Logstash is a HOG, if you are deploying it on commodity (i.e. cheap and old) hardware: You will need at least 2GB, just for Logstash. So don't expect to run your entire ELK stack on one AMD Athlon machine.
  • Overlap: Logstash fills in an area of the ELK stack that makes the most sense: as a log file transformer / shipper. However, if you start breaking that stack, with the addition of other components- you start seeing where features of Logstash may be implemented or solved in the additional components much easier (or better, or to a higher degree of resolution)
  • More Overlap: Since my team employs Syslog-ng extensively- Logstash can sometimes get in the way (and this may be a problem for DevOps stacks overall): You can configure Syslog to record certain information from a source, filter that data, and even export that data in a particular format. Logstash will pick that data up, and then parse it. However, if you don't keep your Syslog-ng configuration files, and your Logstash configuration files in sync, your results will not be what you expected, and this will translate into (sometimes) hours/days of work, hunting down a line item in a configuration file.

Return on Investment

  • Positive: LogStash is OpenSource. While this should not be directly construed as Free, it's a great start towards Free. OpenSource means that while it's free to download, there are no regular patch schedules, no support from a company, no engineer you can get on the phone / email to solve a problem. You are your own Engineer. You are your own Phone Call. You are your own ticketing system.
  • Negative: Since Logstash's features are so extensive, you will often find yourself saying "I can just solve this problem better going further down / up the Stack!". This is not a BAD quality, necessarily and it really only depends on what Your Project's Aim is.
  • Positive: LogStash is a dream to configure and run. A few hours of work, and you are on your way to collecting and shipping logs to their required addresses!

Alternatives Considered

Elasticsearch, MongoDB and Azure SQL Database