I am trying to decide an approach for logs processing in a EKS cluster. Idea is to use EFK. We thought we can use fluentd to push the logs to elastic search. But most of the blogs uses fluentd to send the logs to cloudwatch and then a lambda to send the cloudwatch logs to elastic search. Why is this approach preferred? What could be the drawbacks of pushing logs directly to elastic?
Thanks!
I have been using EKF in EKS and sending logs directly to elasticsearch using a dynamic index key. My elasticsearch cluster is also running inside Kubernetes and I am running fluentd as a daemon set. I haven't found any problems yet in this approach.