Rainer Gerhards edited this page Dec 2, 2016 · 3 revisions
Clone this wiki locally

REK draft

After a few messages being sent on the mail list, and having http://lists.adiscon.net/pipermail/rsyslog/2016-November/043555.html as the Grand Finale we have created this page to discuss, in a more resilient way, what it should be part of this.


  • Logstash has a bigger memory footprint than rsyslog, requiring more than 100MB in order to even show --help. Rsyslog, on the other hand could be found more complex (maybe with a harder learning curve too).
  • ELK pipeline doesn't have a native queue, so it needs something like Redis, while Rsyslog is built on queues but doesn't have features like dynamic configuration.
  • Logstash can easily do log enrichment, like adding geoIP information. Previous rsyslog versions weren't able to do it, and recent ones, which support it through lookup tables, aren't properly documented.


Review missing features and enhancements than can be implemented to help rsyslog become a logstash substitute.

Problems to solve

  • rsyslog documentation is worse than logstash's. Less user-friendly, spread among multiple files and requires much more trial-and-error.
  • elastic beats seem to be a lightweight logstash in order to improve efficiency, and tests should be driven in order to guess if it will worth the effort.