Elastic Agent vs Logstash
Both ship data to elasticsearch, but they serve different points on the complexity spectrum.
Side-by-Side
| Elastic Agent | Logstash | |
|---|---|---|
| Primary use | Unified data collection from a host | Complex ETL pipelines |
| Transformation | Light processors (sanitize, enrich) | Heavy filtering, joining, routing |
| Management | Centrally via Fleet in Kibana | Manual config files |
| Deployment | One agent per host | Standalone pipeline server |
| Replaces | Beats (largely) | Nothing — still the tool for complex ETL |
| When to use | Logs, metrics, security data from a machine | Multi-source joins, heavy transforms, fan-out routing |
The Rule of Thumb
Start with elastic-agent. Add logstash only when transformation complexity demands it — e.g., joining multiple streams, applying conditional routing across many outputs, or processing data from sources that don’t have an Elastic Agent integration.
They Are Not Mutually Exclusive
A common pattern: Elastic Agent collects data from hosts → ships to Logstash for transformation → Logstash outputs to Elasticsearch. Agent handles collection; Logstash handles the pipeline.
See Also
- elastic-agent — the modern unified shipper
- logstash — the ETL pipeline engine
- fleet — manages Elastic Agent deployments
- elastic-stack — where both fit in the broader stack