Elasticsearch, ELK, Filebeat, Kibana, Logstash

Elasticsearch Ingest Node Vs Logstash Vs Filebeat

Leave a comment

Elasticsearch Ingest Node

Ingest node use to pre-process documents before the actual document indexing
happens. The ingest node intercepts bulk and index requests, it applies transformations, and it then passes the documents back to the index or bulk APIs.

Logstash

Logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to different output sources like Elasticsearch, Kafka Queues, Databases etc.

Filebeat

Filebeat is lightweight log shipper which reads logs from thousands of logs files and forward those log lines to centralize system like Kafka topics to further processing on Logstash, directly to Logstash or Elasticsearch search.

There is overlap in functionality between Elasticsearch Ingest Node , Logstash and Filebeat.All have there weakness and strength based on architectures and area of uses. You cam also integrate all of these Filebeat, Logstash and Elasticsearch Ingest node by minor configuration to optimize performance and analyzing of data.

Below are some key points to compare Elasticsearch Ingest Node , Logstash and Filebeat.

Points Elasticsearch Ingest Node Logstash Filebeat
Data In and Out As ingest node runs as pipeline within the indexing flow in Elasticsearch, data has to be pushed to it
through bulk or indexing requests and configure pipeline processors process documents before indexing of actively writing data
to Elasticsearch.		 Logstash supports wide variety of input and output plugins. It can act as middle server to accept pushed data from clients over TCP, UDP and HTTP and filebeat, message queues and databases.
It parse and process data for variety of output sources e.g elasticseach, message queues like Kafka and RabbitMQ or long term data analysis on S3 or HDFS.		 Filebeat specifically to shipped logs files data to Kafka, Logstash or Elasticsearch.
Queuing Elasticsearch Ingest Node is not having any built in queuing mechanism in to pipeline processing.
If the data nodes are not able to accept data, the ingest node will stop accepting data as well.		 Logstash provide persistent queuing feature mechanism features by storing on disk. Filebeat provide queuing mechanism with out data loss.
Back-pressure Clients pushing data to ingest node need to be able to handle back-pressure by queuing data In case elasticsearch is not reachable or able to accept data for extended period otherwise there would be data loss. Logstash provide at least once delivery guarantees and buffer data locally through ingestion spikes. Filebeat designed architecture like that with out losing single bit of log line if out put systems like kafka, Logstash or Elasticsearch not available
Data Processing Ingest node comes around 20 different processors, covering the functionality of
the most commonly used Logstash plugins.

Ingest node have some limitation like pipeline can only work in the context of a single event. Processors are
also generally not able to call out to other systems or read data from disk. It’s also not having filters as in beats and logstash. Logstash has a larger selection of plugins to choose from. This includes
plugins to add or transform content based on lookups in configuration files,
Elasticsearch, Beats or relational databases.

 Logstash support filtering out and dropping events based on
configurable criteria.		 Beats support filtering out and dropping events based on
configurable criteria.
Configuration “Each document can only be processed by a single pipeline when passing through the ingest node.

 “Logstash supports to define multiple logically separate pipelines by conditional control flow s to handle complex and multiple data formats.

Logstash is easier to measuring and optimizing performance of the pipeline to supports monitoring and resolve potential issues quickly by excellent pipeline viewer UI.

 Minor configuration to read , shipping and filtering of data. But limitation with parsing.
Specialization Ingest Node pipeline processed data before doing indexing on elasticsearch. Its middle server to parse process and filter data from multiple input plugins and send processes data to output plugins. Specific to read and shipped logs from different servers to centralize location on Elasticsearch, Kafka and if require parsing processed through Logstash.
Integration Logstash supports sending data to an Ingest Pipeline. Ingest node can accept data from Filebeat and Logstash etc, Filebeat can send data to Logstash , Elasticsearch Ingest Node or Kafka.
Performance Please follow below link to check performance of each on different cases: Elasticsearch Ingest Node , Logstash and Filebeat Performance comparison.

Learn More

To know more about Elasticsearch Ingest Node, Logstash or Filebeat follow below links: