The reaction to my Central Logging post has been significantly greater and more positive than I could've expected, so I wanted to recap some of the conversation that came out of this. I am pleasantly surprised by most of the comments on the Hacker News Thread. So, here's a real quick recap of the responses I've received. I will continue this series this weekend with more technical details.
So here's some reflections on the feedback so far.
Another Alternative: ELSA
@spazm recommended checking out ELSA. Not alone, as @_viq echo'd @spazm's suggestion. This trend continued on HackerNews with another recommendation for ELSA from ova. I figured this warranted an investigation. Unfortunately I have not had a chance to play around with ELSA yet.
I read through the docs and found it's using Sphinx as the search backend. From my cursory research, the main differences between ElasticSearch and Sphinx seems to be ease in configuration and setup of clusters with ElasticSearch winning. That said, Sphinx seems to crush ElasticSearch on single node search capabilities. This is based on the limited information I could find in the few minutes I had to spend on researching it.
I will spend some time researching ELSA as it is a Perl project. I am a sucker for Perl apps!
A number of folks are currently involved in the evaluation of logging tools. I was a bit disheartened by the number of people considering rolling their own. While I love the idea of reinventing the wheel and have done so many, many times, I have to agree with Marcus Ranum. Logging is hard, and you're probably over your head.
I'd urge those going down this road to investigate contributing to Open Source Software already in this space. If we could strengthen a few projects in this sphere rather than just constantly building more disposable wheels, we all win. Again, believe me, I sincerely understand that you want to build your own, however, this is more complicated than you can imagine. Why do I know that? Because I built my own wheels in this space as well!
I did haphazardly request feedback from someone who's had experience with Splunk. I realize now that I really need to write-up and screenshot the capabilities of the Logstash / Kibana / Graphite setup. I plan on doing that later this week, so until then I'll assume responsibility for the poor feedback in this area. I read the Hacker News comments and got the impression that you either use Splunk and never use anything else again or you think Splunk is too expensive. Both positions lack the evidence and rigor I was looking to elicit, but again, my fault.
A big thank you to everyone who engaged in a discussion or helped spread the word. I was surprised at the amazing response.