Seems like devs would prefer to upgrade the syslog used in ipfire instead of using filebeat, which I’m happy if it does TLS encryption and authentication to logstash. So holding off making pakfire now as devs have signalled their intent to instead upgrade syslog see here Shipping logs to logstash - #14 by ms