Logstash is a tool for managing events and logs.
LogStash provides an integrated framework for log collection, centralization, parsing, storage and search.
LogStash has a wide variety of input mechanisms: it can take inputs from TCP/UDP, files, Syslog, Microsoft Windows EventLogs, STDIN, log4j and a variety of other sources.
LogStash design and architecture
LogStash is written in JRuby and runs in a Java Virtual Machine (JVM).
Its architecture is message-based and very simple.
Rather than separate agents or servers, LogStash has a single agent that is configured to perform different functions in combination with other open source components.
In the LogStash ecosystem there are four components:
• Shipper: Sends events to LogStash. Your remote agents will generally only run this component.
• Broker and Indexer: Receives and indexes the events.
• Search and Storage: Allows you to search and store events.
• Web Interface: A Web-based interface to LogStash.
LogStash servers run one or more of these components independently, which allows us to separate components and scale LogStash. As a result there's likely in the environment that you can't extract logs from and send them to LogStash.