I am beginner to Elastic Search and logStash. After going through the n number of documentation still i couldn't figure out. Why there is an broker needed in between logshipping and indexing component. Can't we directly send the logs to Elastic Search and start indexing? 
Why Redis, AMQP or 0MQ is needed along with elastic search and logstash?
993 views Asked by Naresh At
2
There are 2 answers
0
Jettro Coenradie
On
Yes you can send the logs immediately to the indexer. However, there is a scalability and maintainability reason to use the Broker. If the indexer at some time becomes overloaded, sending the logs could slow down. Also if you want to restart the indexer for any reason, using the Broker you can keep sending logs.
Related Questions in LOGGING
- ModuleNotFoundError: No module named 'src' while importing logging
- How to get domains in Shadowsocks server log with Shadowsocks Android
- How to enable log to console Cosmos Client SDK requests
- pino-pretty logging special characters as literal
- unable to serialize JSON type logs In fluentd(logging-operator)
- How to configure different loggers separately in structlog?
- detect catalina.out log path from a running tomcat on non-Windows
- apache2 rotatelogs creates log file but its empty when deployed to azure web app
- Ubuntu:24.04 Container generating excessive logs
- Transform Load pipeline for a logs system: Apache Airflow or Kafka Connect?
- Deisred log is not rotating
- Purpose of setting debug="false" in log4j at configuration level
- RobotFramework hangs after xx lines of log
- logging in multiprocess writes to same log
- Masking in logback.xml with all request and responses
Related Questions in ELASTICSEARCH
- How does Elasticsearch do attribute filtering during knn (vector-based) retrieval?
- Elastic python to extract last 1hr tracing
- Elastic search not giving result when Hyphen is used in search text
- FluentD / Fluent-Bit: Concatenate multiple lines of log files and generate one JSON record for all key-value from each line
- Elasticsearch functional_score with parameter of type string array as input not working
- Elasticsearch - cascading http inputs from Airflow API
- AWS Opensearch - Restore snapshot - Failed to parse object: unknown field [uuid] found
- cluster block exception for system index of kibana
- What settings are best for elasticsearch query to find full word and half word
- OpenSearch - Bulk inserting Million rows from Pandas dataframe
- unable access to kibana
- PySpark elastic load fail with error SparkContext is stopping with exitCode 0
- How to use query combined to KNN with ElasticSearch?
- Facing logstash compatibility issues
- If the same document is ingested at two different times, how to have the same id in Elasticsearch
Related Questions in REDIS
- How to Socket.IO Multithreading on a Raspberry Pi?
- How to get the session ID returned by cookie with spring-session-data-redis
- Cannot serialize (Spring Boot)
- JEDIS/REDIS 'ON' Keyword or broken query?
- Quart_Sessions Redis deletes keys and create backups instead
- Docker builds redis, mounts the host network and uses 192.168.*.* to access the redis server and is denied
- Need a script to fetch the redis latency values over 20 seconds and store the results in a file
- Service in Docker Compose not connecting to Redis container in docker, Failed to connect to any host resolved for DNS name
- Install redis vector database on GCP in a GKE cluster
- how to avoid while loop while waiting for future complete?
- Is it possible to append the data in Redis command
- Not able to inject RedisCache/SyncCache/StatefulRedisConnection beans in micronaut 4.2.1 version
- RedisConnectionFailureException intermittently
- using redis timeseries in aredes error =>Error handling publish event: [ErrorReply: ERR TSDB: invalid value]
- HttpResponseMessage caching using redis
Related Questions in LOGSTASH
- use logstash filter ,aes gcm encrypted in ruby,but cannot decrypted in java
- Facing logstash compatibility issues
- Logback recording SpringBoot class member variable
- What is elasticsearch supported Logstash-output-jdbc plugin
- Kibana/Logstash not extracting data with grok pattern
- how to strip a variable using logback after a delimiter
- Docker compose - Logstash unable to connect to elastic search
- Not able to parse logs having spaces between key value pair in json
- Is there any way to remove log.syslog.structured_data field in logscale/kibana
- How to update logstash 8.9.1 to 8.12.02
- Issue with filebeat 8.12.2 output to logstash and then to elasticsearch with custom index name
- How to properly configure Logstash on windows
- Logstash - IOError Device or resource busy
- Logstash ERROR: (NameError) cannot initialize Java class org.logstash.plugins.AliasRegistry (java.lang.ExceptionInInitializerError)
- Syncing PostgreSQL with ElasticSearch
Related Questions in INDEXER
- How can I obtain the extracted text from the Azure AI Search when querying .msg email files?
- Get an Array from HashSet in c# with operator [..]
- Steps to add indexer tiers in druid
- Initialize an Indexer Class
- By-value and by-reference distinction between List<T> and Array for custom struct and built-in structs (like Int32)
- TypeError: Cannot compare dtypes int64 and datetime64[ns]
- Python workflow returns ModuleNotFoundError: No module named 'indexer' when it once worked fine
- "We can't find products matching the selection" in magento 2
- Why does my product disappear after a while in magento 2?
- What's the recommended approach to upgrading Solr from version 7.7.3 to 9.1.1 using the IndexUpgrader tool?
- Azure Cognitive Search indexer adds to existing non Key field
- Couchbase : change admin port 9100 indexer_admin_port
- Use indexer to cast batched input tensor into different Sequentials
- Trying to Pass Pandas DataFrame to a Function and Return a Modified DataFrame
- What alternatives can be used to represent .NET's 'from-end' indexer expression inside a lambda/expression tree?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
The message queue
The role of the message queue is to be the gatekeeper and protect the parser from being overloaded with too many log messages. It is all about the maximum number of events your parser can process in one second and when this rate becomes too high, the log parser will drop events and will cause data lose. To prevent this situation a message queue is mandatory.
Pull vs Push
When you send log messages directly to the log parser from log shipper you basically push the messages and hope that the parser can handle the rate at which these events are being pushed to it. When you choose to use a message queue you allow the log parser to pull the messages at the rate that it can handle. When the rate is too high and the parser can’t pull all the messages, they will accumulate in your message queue and once the rate will become lower, the parser will pull these messages and clear the queue. A message queue is your best protection against temporary high load on your central logging solution.
The database crisis
In rare cases your database server will crash and during that time the parser will have no available destination to send its parsed log messages to. From the input side the parser will receive more and more messages from the log shipper and will start dropping them. In that case, all the log messages generated during this time will be gone. A message queue is a great solution to that situation and will allow the parser to stop pulling events and let them accumulate in the message queue. Once the session to the database will be restored all the events will be pulled by the parser and sent to the database. It might take some time to parse and write such a big queue but eventually you will have complete access to your generated log data and no data will be lost.
A layer of safety
In some cases your log files might be scattered between different servers outside of your data center and you will want them to send data to your centralized logging solution. By using a message queue, you will be able to keep your data safe, sending it encrypted and limiting your inbound access to a single port on your message queue server. It is very important to take into consideration the security aspects of your centralized logging solution and especially so when it comes to a distributed server environment.