Please don't call logstash "an open source splunk". It's no such thing. Splunk still has features that logstash doesn't have (yet). Logstash has quite a few features that Splunk doesn't have.
Jordan had never seen (or to my knowledge has yet to see) splunk at all. I don't know about Pete. Myself, I haven't used Splunk since trying a very early release once in the very first days of it.
Point being, Logstash doesn't call itself an "open source splunk". In fact I've considered adding an output to SplunkStorm to Logstash.
Do I think Logstash is better? Yep. Do I know people who swear by Splunk? Yep. Competition is healthy.
I agree, "an open-source X" implies it re-implements X.
LogStash is a log management system, which is one application of Splunk. (There are a lot of players in this space.) And, much like Splunk, it seems to be well-fit for users who prefer to get down to the nuts and bolts. I haven't tried it yet, but I don't have a need for real LM or IT search these days, when I do - it'll be in my list of things to set up and try. I like what I've seen, but I don't see much IT search or automation here.
Disclaimer: I was the architect of a closed-source competitor to Splunk in the log management space.
Speaking as someone who has only casually heard of these products, they are exactly the same thing to the uninitiated. That's not being negative. Just saying both products provide a way to bring sanity through search, indexing and analysis to tons of logs.
Does anyone know how many events/sec Logstash can handle? I've only
seen people talking about 250 events/sec on the Google Group, but
we're a couple orders of magnitude greater than that.
The commonality is they both ingest logs and provide fulltext search for said logs. That's enough to loosely comare the two for purposes of promotion here on HN, or even getting good mentions on ServerFault: http://serverfault.com/questions/62687/alternatives-to-splun...
I'm certainly not the first to make this comparison.
Although logstash does have a built in elasticsearch, I wouldn't really say anyone uses logstash itself to provide search for the logs. Logstash itself just provides a way to move events from one place to another, that's all.
"I wouldn't really say anyone uses logstash itself to provide search for the logs"
Huh? The front page of http://logstash.net/ suggests that one of the primary uses!
"logstash is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs.
All your logs from all over your infrastructure in one place - with searching and graphing. Since we can easily parse text-based logs, you can query for more precise things like, all 404 http errors, nagios critical alerts in hard state, or mail server faults - all without accidentally finding logs with the word ‘404’ or ‘critical’ in the wrong place."
Elasticsearch, the recommended backend for making your logs searchable, is a separate project from logstash. Logstash does come with a built in elasticsearch, designed to get people up and running very quickly, but if you are considering any serious use of elasticsearch you would set it up yourself as a standalone service.
Logstash does come with a simple web interface, and kibana is a slightly better but still simple interface being ported into logstash. Again this is geared towards getting people up and running quickly, and at the end of the day it's just a pretty curl wrapper for elasticsearch.
You can also use logstash without elasticsearch/kibana, which we do for a good bit of our logs. I think logstash intentionally blurs the lines of what it is or isn't so people don't get caught up in trying to figure out how to get it running. Give it a try and see for yourself exactly what it is or isn't.
You might underestimate the size of deployments of logstash. Mailchimp runs logstash in a pretty sizeable cluster for all traffic coming into HTTP front-ends. I can think of quite a few sizeable logstash installs that I can't mention.
Logstash and Graylog are complimentary. Most people, myself included, we're originally using Graylog2 in conjunction with Logstash.
Graylog2, though, had problems with it's original implementation based on capped containers in MongoDB. It has since moved to ElasticSearch.
There are both gelf inputs and outputs for Logstash so you can send your logs to Logstash as if they were going to Graylog2 and do additional munging and still send them out to Graylog2 from there.
Would you mind going into more details as to how they are similar and what the differences are between the two? Should I run both, or pick one? You seem to suggest to run both in tandem but I'm not sure I see why since at first sight they seemed pretty much the same to me.
I was planning to setup Logstash next week so your input would really help. Thanks!
Graylog2 only handles syslog and its own protocol (GELF) for accepting log events. Graylog2 uses ElasticSearch for data storage. Logstash can use ElasticSearch or just send the data elsewhere.
The Graylog2 web interface is pretty awesome and it has some neat stuff built in. Logstash ships with a fairly spartan web interface though we're going to replace it with a ruby port of Kibana in the future.
Logstash can accept data from GELF senders (via the gelf input plugin I wrote) or send to gelf receivers (like Graylog2).
Graylog2 is awesome, don't get me wrong. I just had to bail on it when it was still on MongoDB because I couldn't justify the cost of instances needed to get a MongoDB instance that could hold more than 4 hours of data.
You need to add some CSS to account for extra pixels the responsive navbar uses. Also, the JavaScript for the navbar menu does does not seem to be working.
Could this be used on Elasticsearch in general? Any pointers what's needed for that? The interface looks nice, and we have a large(ish) Elasticsearch cluster I'd like to try this on.
Jordan had never seen (or to my knowledge has yet to see) splunk at all. I don't know about Pete. Myself, I haven't used Splunk since trying a very early release once in the very first days of it.
Point being, Logstash doesn't call itself an "open source splunk". In fact I've considered adding an output to SplunkStorm to Logstash.
Do I think Logstash is better? Yep. Do I know people who swear by Splunk? Yep. Competition is healthy.