Choosing the Right Log Aggregation Tool
Choosing the right log aggregation tool can be challenging. There are many tools available so how do you pick which one is right for you or your company? The tools we will focus on in this article are Splunk, Seq, and the Elastic (ELK) stack.
Part 1: Let’s explore the tools
Splunk is a great platform for collecting and analyzing your log data. It allows you to create dashboards to visualize your data. Splunk also offers a wide variety of log collectors so you can be sure that however you produce your log data, Splunk is likely to support it. It has both on-premises and SaaS offerings to fit the needs of almost any enterprise.
Elastic Stack, or ELK as it was previously known, is arguably the most popular log aggregation and management platform out there. It is primarily composed of three components: 1) Elasticsearch, a search tool based on Apache Lucene, 2) Logstash, a tool for data processing that makes the most out of your log files, 3) Kibana, a data visualization and log discovery tool, and 4) Beats, which are a series of smaller monitors and counters — also the reason for the name change to ELK to the Elastic Stack.
Seq is a great tool for consuming structured log data. It is a great all in one tool that provides aggregation and visualization functions all within the same installation. Dashboards are easily created and can be shared with your team through workspaces. It also has SQL-like syntax for log searching that means it’s discovery and tracking capabilities will feel right at home in most enterprises.
Part 2: Evaluate your needs
There are many areas you’ll need to evaluate when picking a log aggregator, many of which will be specific to your needs so here we will focus on some of the most common:
- Data flow & performance
- Visualization
- Security
First, we will focus on data flow and performance. How much data do you expect to have flowing into (or out of) the system? What is the primary use case for log aggregation in the first place? Are you looking for enterprise-grade performance and support for high-availability in a production environment? If so, Seq might not be for you but the Elastic Stack and Splunk are excellent candidates. Seq only supports single-node deployments and lacks the redundancy most enterprises require for production logging. The Elastic Stack is designed to be highly distributed and redundant. It supports both on-premises and SaaS (Elastic Cloud) models making it flexible for every environment. Splunk offers the same flexibility as the Elastic Stack, with both SaaS and on-prem support.
Secondly, we will dive into the visualization support within these various offerings. All of these services offer visualization in some form or another but all at varying levels. Let’s start with Seq which offers customizable dashboards as well as general log searching. Both of these filter and display data based on a SQL-like querying mechanism. Depending on system capacity, this is where the system can start to break down as the indexing is a bit clunky and can cause queries to take an incredibly long time to load. This same effect transfers to dashboards, but we will get to that shortly. The log filtering allows for higher level grouping by different log levels and configurable environments, depending on your needs. The dashboards, while they may offer slightly less verbose information, are far more useful for a high level picture of system performance. You can do time filtering and grouping for things like the last hour by minute, with each category offering different options. You can turn your data into charts and graphs that give you a quick look into things such as user counts, exception counts, etc. but note that some of this is obviously dependent on the data you are feeding into the system.
Next up: Kibana, the “K” in ELK. This is also where things get more complex, particularly in terms of configuration, although most use cases shouldn’t require excessive tuning. Regardless, this complexity also offers significantly more power. There are a variety of different ways to visualize data in Kibana — Visualize, Canvas, Maps, and Dashboards. We will break these down one by one to explore what they offer. Visualize is where the various standard charts and graphs are created. You can create these one by one so you focus on specific data points and preview them before they become available to other system users. Canvas allows you, similarly to Visualize, create a dashboard-like view with a specific focus. Maps, as indicated by the name, are designed for viewing data with a geographic focus. Finally, Dashboards are where most users will be spending their time. They allow you to piece together elements from other areas into one (or more) succinct dashboard views that afford you a high-level view into your system from one page.
And finally, Splunk. Splunk offers visualization at a cost, though not a monetary one. Similar to Seq, most of the visualization offered comes by poring over logs, filtering them down, and then creating charts and graphs from there. This is not necessarily a bad thing, though it adds a level of complexity that makes it a touch harder than ELK. The main advantage Splunk has with its dashboards is that they are not limited to the standard set of charts and graphs, among other things, but rather allow you to focus on specific types/focus areas of logs that simplify navigation. The rest of Splunk’s visualization features mostly align with Seq, although there are some power user functions that enhance the experience, although I won’t explore those here.
The last area we will focus on here is security. All the offerings support HTTPS out of the box with little setup, though you will need to (as expected) provide certificates. Note here that, since Elastic Stack is primarily Java based, you will need to make sure that certificates are formatted properly. Beyond that, security is rather limited, but for a reason. Since Seq is self-contained, there is no need for node-to-node security or any other sort of encryption-in-motion support. Elastic Stack and Splunk, on the other hand, do support this, in much the same way that they support HTTPS at the client level. As expected of any enterprise-grade system, all three support Active Directory integration. You can configure various forms of role- and/or group-based access, although this comes in varying levels of support and extensibility. Seq, for instance, allows you to control access by specifying an AD group, although you are limited to just one. Elastic Stack supports AD out of the box, whereas Splunk requires a plugin, though it is supported so it’s not a headache by any stretch. If you do not wish to integrate with AD, you can rely on the built-in local user systems that all three systems offer.
Part 3: Choosing the right tool
Now that we’ve gone over the various offerings of each system, it is time to choose the right tool for you. With that said, it is up to you, though I will offer some suggestions based on experience. If you have a rather small environment or only require basic functionality, Seq is probably your best bet considering how easy it is to set up. If you wish to run all your logs through a centralized system and be able to visualize every application in your enterprise, Splunk and Elastic Stack are both solid choices. They both offer relatively similar levels of support. I personally prefer Elastic Stack because of the user interface, but don’t let that sway you. At the end of the day, the right tool is all situational and each of the three tools we’ve explored might meet your needs or they might not. Regardless, this should help simplify the decision making progress.
