If you are looking for a Logstash alternative for security operations, six tools cover the field: NXLog Platform, an agent-based telemetry pipeline built for security data collection with centralized agent management; Fluentd, a CNCF project with a large plugin catalog; Fluent Bit, its lightweight C-based sibling for edge and container collection; Vector, a Rust-based pipeline owned by Datadog; Cribl Stream, a commercial pipeline for routing and reducing data between existing collectors and SIEMs; and syslog-ng, a long-lived syslog daemon from One Identity. Which one fits depends on where your logs originate. For most security teams, a large share of them originate on Windows endpoints, Logstash’s weakest ground.
The case for replacing Logstash is operational, not functional. It runs on the JVM (the current release requires Java 21, which ships bundled), and Elastic’s own JVM sizing guidance shows why capacity planning gets involved: heap, direct memory, and memory-mapped queue pages all need separate estimation, and each persistent queue alone requires at least 128 MB of heap. That overhead is manageable on a central pipeline tier. The endpoint is the real gap: Logstash was never designed to run there, so Elastic’s own architecture puts Beats or Elastic Agent on every host, which means a second product to deploy, configure, and monitor before the first event reaches your pipeline.
What to look for in a Logstash alternative
Before comparing products, agree on the criteria. For security operations, five factors separate the contenders:
-
Endpoint-native collection. Can the tool read Windows Event Log, Linux Audit, and macOS logging APIs directly, or does it only tail files and listen on sockets? Security telemetry starts at the endpoint, not at a TCP port.
-
Agent management at scale. Config files in a repo work for ten hosts. For thousands, you need central enrollment, configuration, and health monitoring of agents.
-
Processing at the edge. Filtering and parsing on the endpoint cuts network transfer and SIEM ingestion costs before the data ever leaves the host.
-
Resource footprint. An agent competes with production workloads for CPU and memory. Runtime choice (C, Rust, Ruby, JVM) matters here.
-
Output flexibility. Your SIEM will change before your collection layer does. Look for native outputs to Elasticsearch, Microsoft Sentinel, Splunk-compatible endpoints, Kafka, and OpenTelemetry.
1. NXLog Platform
NXLog Platform approaches the problem from the opposite direction to Logstash: instead of a central pipeline that endpoints feed into, it starts with a lightweight, modular agent designed for security data collection, and adds centralized management on top. NXLog Agent is written in C, loads only the modules you configure, and ships over 100 input, output, processor, and extension modules.
Windows is where the difference shows. NXLog Agent reads the Windows Event Log natively through the Event Log for Windows input module, captures kernel-level telemetry through Event Tracing for Windows, and can even act as a Windows Event Collector to receive forwarded events from hosts where you cannot install an agent. Coverage extends across platforms with modules for Linux Audit, the macOS Unified Logging System, and macOS Endpoint Security, plus installers for IBM AIX and Oracle Solaris, which none of the CNCF-era tools cover.
A minimal configuration that collects Windows Security events and forwards them as JSON over TLS looks like this:
<Extension json>
Module xm_json
</Extension>
<Input windows_security>
Module im_msvistalog
# Collect only the Security channel
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output siem>
Module om_ssl
Host siem.example.com:6514
CAFile %CERTDIR%/ca.pem
Exec to_json();
</Output>
<Route security_to_siem>
Path windows_security => siem
</Route>
The JSON extension module converts structured events to JSON, and the TLS/SSL output module handles TLS transport with certificate-based authentication. For a deeper look at getting that transport layer right, see our guide to syslog forwarding over TLS.
Because the agent processes data before it leaves the host, you can drop high-volume, low-value events at the source and cut what your SIEM bills you for:
<Input windows_security>
Module im_msvistalog
# Drop noisy events before they leave the host
<Exec>
if $EventID in (4634, 4658, 5156, 5158) drop();
</Exec>
</Input>
On the management side, NXLog Platform gives you a single interface to enroll agents, push configurations, and monitor agent health: the piece that config-file-driven tools leave to you. Outputs cover Elasticsearch, Microsoft Sentinel, Google SecOps, Kafka, and an OpenTelemetry exporter, so you are not committed to any single SIEM.
Best for: security teams collecting from mixed Windows, Linux, macOS, and legacy Unix estates who want one managed agent instead of a patchwork of shippers.
Consider the trade-off: NXLog Platform is a commercial product (plans start with a free tier). If you need a fully open-source stack as a matter of policy, look at the CNCF options below.
2. Fluentd
Fluentd is a Cloud Native Computing Foundation project and the default log router in much of the Kubernetes world. Its main strength is reach: the project’s plugin index, which tracks all Fluentd plugins published on RubyGems, lists roughly a thousand community plugins covering nearly any source or destination you can name.
That breadth comes from Fluentd’s Ruby foundation: plugins ship as Ruby gems, which makes them easy to write and easy to install, but ties throughput to the Ruby runtime.
Windows support exists through the project-maintained in_windows_eventlog2 input plugin, which ships with fluent-package rather than in the core fluentd gem, and Fluentd offers no built-in way to manage agent configuration across a fleet.
Best for: cloud-native teams routing container and application logs to many destinations, where the plugin catalog outweighs raw per-node performance.
3. Fluent Bit
Fluent Bit comes from the same project family as Fluentd but is an independent implementation: a CNCF sub-project under the Fluentd umbrella written in C, built for environments where every megabyte counts. The project advertises a minimal footprint of roughly 450 KB, and it runs on Linux, Windows, macOS, BSD, and embedded platforms. It is the smallest collector in this comparison, which makes it the default pick for containers, IoT devices, and Kubernetes DaemonSets.
The trade-off is processing depth: Fluent Bit has gained Lua scripting and SQL stream processing over the years, but heavier parsing and enrichment still tends to happen downstream in Fluentd or another pipeline. Like Fluentd, it is configured per node through files, with no native fleet management, and its Windows Event Log support is functional rather than a design focus.
Best for: edge and container collection where footprint is the deciding factor, typically feeding a heavier aggregator.
4. Vector
Vector is a Rust-based observability pipeline developed by Datadog. Its standout feature is the Vector Remap Language (VRL), an expression language for transforming events that is checked at compile time and refuses to compile unless every possible error is handled. For pipelines that must not drop data silently, that compiler discipline prevents a whole class of runtime surprises.
Vector also publishes performance numbers. In the project’s own test harness results (Vector team/Datadog, published in the repository README), Vector reached 86 MiB/s in the TCP-to-blackhole test against 40.6 MiB/s for Logstash, 64.4 MiB/s for Fluent Bit, and 27.7 MiB/s for Fluentd. Treat these numbers with care: they are vendor-run, and the harness compared tool versions that are now several years old (Logstash 7.x era). Independent tests paint a more mixed picture: an IBM benchmarking study (Gupta and Raichstein, IBM Cloud, 2021, run on a six-node bare-metal cluster with 8 CPUs and 64 GB RAM per node) found Fluent Bit and Vector close on throughput per CPU. In practice, Vector and Fluent Bit sit in the same performance class, and workload shape matters more than the benchmark headline.
For Windows-heavy security estates, note that Vector’s native Windows Event Log source only shipped in April 2026 and is still flagged beta; early stability bug reports were fixed quickly, but the source is young. Open-source Vector also has no agent fleet management layer (Datadog sells that capability separately as Observability Pipelines), and Datadog ownership is worth weighing when you assess long-term roadmap neutrality.
Best for: high-throughput Linux pipelines with heavy in-flight transformation needs, run by teams comfortable managing configuration as code.
5. Cribl Stream
Cribl Stream is not an endpoint agent. It is a pipeline that sits between your existing collectors and your destinations, where it routes, reshapes, enriches, and, above all, reduces data before it reaches SIEM storage; volume reduction is the product’s core pitch. Endpoint collection comes from elsewhere: Cribl’s separate Edge product, or third-party agents. In practice, Cribl deployments often sit downstream of agents like NXLog Agent, Fluent Bit, or Splunk forwarders.
The UI-driven pipeline builder lowers the barrier for teams that do not manage configuration as code, and the routing model is easy to reason about. Scrutinize the commercial model before you commit: licensing is metered on data ingest, and the free on-prem license caps ingest at 1 TB/day and requires sending anonymized telemetry data to Cribl; disabling telemetry on a free license blocks inbound traffic within 24 hours, per Cribl’s own documentation.
Best for: large enterprises with established collection layers that need to reshape and reduce data across multiple SIEMs and data lakes.
6. syslog-ng
syslog-ng has been forwarding logs since the late 1990s and remains a solid, C-based choice for Unix estates standardized on syslog transport. It comes in an open-source edition (OSE) and a commercial Premium Edition from One Identity.
The split matters for security teams. Windows collection requires the syslog-ng Agent for Windows, which is part of the commercial Premium Edition and licensed with it. The same documentation states the agent’s limits plainly: it supports only basic filtering, with no message parsing or classification on the endpoint, and the central syslog-ng server cannot be installed on Windows at all. The agent itself lives on the legacy 6.0 LTS maintenance track, and One Identity points Windows users toward its agentless Windows Event Collector instead. Management of Windows agents runs through Group Policy rather than a dedicated console.
Best for: Linux/Unix environments committed to syslog as the transport standard, where Windows coverage is minimal or handled elsewhere.
Logstash alternatives compared
| Criterion | NXLog Platform | Fluentd | Fluent Bit | Vector | Cribl Stream | syslog-ng |
|---|---|---|---|---|---|---|
Windows Event Log collection |
Via community plugin |
Built-in input |
New source (2026), maturing |
No (pipeline, not an agent) |
Commercial agent only, basic filtering |
|
Centralized agent management |
Yes: enrollment, config, health in one UI |
No |
No |
No |
For its own nodes |
Group Policy (Windows agent) |
Edge parsing and filtering |
Yes |
Yes |
Moderate (Lua, SQL) |
Yes (VRL) |
Yes (server-side) |
Server yes; Windows agent no |
Runtime and minimal footprint |
C, modular |
Ruby (plugins as gems) |
C, ~450 KB minimum |
Rust |
N/A (server pipeline) |
C |
Legacy Unix coverage (AIX, Solaris) |
Yes |
No |
No |
No |
No |
AIX only (PE 6 LTS) |
SIEM-agnostic outputs |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Licensing |
Commercial, free tier + Community Edition |
Apache 2.0 |
Apache 2.0 |
MPL-2.0 (Datadog) |
Commercial; free ≤ 1 TB/day with telemetry |
OSE free; PE commercial |
If minimal footprint is your only criterion, Fluent Bit wins. If your policy requires fully open-source tooling, the CNCF projects win. If your priority is collecting security telemetry from Windows-heavy, mixed, or legacy estates and managing those agents centrally, NXLog Platform is the only option on the list that covers all of it in one product.
Frequently asked questions
- What is the best Logstash alternative for security teams?
-
For most security teams, NXLog Platform, because security telemetry is endpoint-first and Windows-heavy: the two areas where it leads this field, with native Windows Event Log collection and centralized agent management. If your environment is entirely Linux containers, Fluent Bit or Vector may serve you better.
- Is Logstash being deprecated?
-
No. Elastic continues active development: Logstash 9 shipped with breaking changes documented in 2025-2026, including a move to JDK 21 in version 9.4. Teams replace it for footprint, endpoint coverage, and operational reasons, not because it is going away.
- What is the lightest-weight Logstash alternative?
-
Fluent Bit, by a wide margin: the project cites a minimal footprint of about 450 KB. NXLog Agent’s C core is also light, and it becomes the better choice when you need Windows event semantics and fleet management along with the small footprint.
- Can NXLog Platform replace Logstash entirely?
-
For collection, parsing, filtering, and forwarding, yes: over 100 modules cover the input and output range, including a native Elasticsearch output. If you have years of investment in Logstash-specific pipeline configurations, plan the migration as a phased project rather than a switch-over. We’re happy to help you scope it.
Choosing your Logstash alternative
Match the tool to the constraint. Fluent Bit wins on footprint for container fleets. Vector suits transformation-heavy Linux pipelines. Cribl Stream fits data-reduction projects layered over collectors you already run. syslog-ng makes sense where the estate is standardized on syslog transport, and Fluentd where plugin coverage for cloud routing decides the choice.
If your constraint is the one most security teams have (collecting reliable telemetry from Windows, Linux, macOS, and legacy systems, filtering it at the edge, and managing thousands of agents without a spreadsheet), start with NXLog Platform for free and see how far one agent takes you. The documentation will get your first agent enrolled in minutes.