91% smaller. 13× faster. Discover Trout Impeller Technology.
Edge log processing that cuts SIEM costs and deploys where Logstash can't. Independently validated by HUN-REN SZTAKI.
Your SIEM is drowning in logs.
SOCs are buried in log data. The more devices you add, the more your SIEM costs to run, store, and process. The more devices you monitor, the worse it gets. In OT environments with thousands of endpoints generating syslog at high rates, the problem compounds fast.
Impeller executes log parsing, filtering, and pre-processing at the edge, reducing the volume and complexity of data forwarded to centralized systems. It works in environments where Logstash is too heavy: edge gateways, remote OT sites, containerized microservices, and resource-constrained appliances.
Controlled, reproducible, head-to-head.
The test environment simulated a realistic distributed pipeline using Docker containers orchestrated via Docker Compose. Loggen generated realistic syslog traffic at controlled rates to progressively increase load. Both Impeller and Logstash ran equivalent processing pipelines, with a rsyslog sink receiving and discarding processed events to isolate pipeline performance from storage effects.
Tests systematically varied three parameters: operation mode (forward-all vs. parsing & filtering), load volume (5,000 events/s at 250/s vs. 25,000 events at 2,000/s), and resource allocation (small: 0.5 CPU core, 500MB RAM vs. large: 4 CPU cores, 4GB RAM). Each scenario included JVM warm-up and pipeline flush phases to ensure accurate measurement.
Independent assessment by HUN-REN SZTAKI, January 2026. EU SOCCER Project, Grant #101127847.
| Metric | Impeller | Logstash | Improvement |
|---|---|---|---|
| Image Size | 80 MB | 890 MB | 91% smaller |
| Startup Time | 2 seconds | 8–39 seconds | 4–19× faster |
| CPU Time per Event | 0.06–0.13 ms | 0.43–1.73 ms | 3–13× lower |
Impeller used fewer resources than Logstash in all 8 test scenarios. The 91% reduction in image size (80MB vs. 890MB) makes it deployable in edge and OT environments where storage is limited. CPU consumption was 3-13x lower than Logstash, with filtering operations at 0.06-0.13ms per event compared to Logstash's 0.43-1.73ms. In practice, this means lower infrastructure costs and less load on the systems being monitored.
80 MB image. Runs anywhere.
91% smaller than Logstash. Deploys on edge gateways, OT appliances, and resource-constrained environments where traditional log processors can't fit.
2-second startup. No warm-up.
4-19x faster startup than Logstash (which needs 8-39 seconds). Important for containerized environments, auto-scaling, and edge deployments where services restart often.
3–13× less CPU per event.
0.06-0.13 ms per event vs. Logstash's 0.43-1.73 ms. Lower infrastructure costs and less load on the systems being monitored.
Download the validation report.
The complete independent assessment by HUN-REN SZTAKI: methodology, all 8 test scenarios, detailed results, event handling analysis, and deployment recommendations.
Part of Access Gate
Impeller is the event processing engine inside Trout Access Gate. Every Access Gate deployment includes Impeller for edge-level log filtering, parsing, and SIEM forwarding. No additional setup required.
EU SOCCER Project
This assessment was conducted as part of the EU-funded SOCCER project (Grant #101127847) by HUN-REN SZTAKI, Department of Network Security and Internet Technologies. Report date: January 2026.
Impeller & Validation Report FAQ
Smaller image footprint vs. Logstash
Impeller is Trout Software's edge log processing engine. It parses, filters, and pre-processes log data at the source, before it reaches your SIEM, reducing the volume and complexity of data forwarded to centralized systems.
The independent performance assessment was conducted by HUN-REN SZTAKI (Institute for Computer Science and Control), Department of Network Security and Internet Technologies, as part of the EU-funded SOCCER Project (Grant Agreement #101127847). Report date: January 2026.
Eight test scenarios evaluated Impeller across varying workloads and resource constraints, comparing it directly against Logstash as the industry-standard baseline. Tests varied operation mode (forward-all vs. parsing & filtering), load volume (5,000 to 25,000 events/s), and resource allocation (0.5 to 4 CPU cores, 500MB to 4GB RAM). The test environment simulated a realistic distributed pipeline using Docker containers orchestrated via Docker Compose.
No. Impeller sits upstream of your SIEM. It reduces the volume of data your SIEM needs to ingest by filtering and enriching logs at the edge. This lowers SIEM licensing costs, storage requirements, and processing overhead. Impeller integrates via standard rsyslog forwarding.
Impeller uses a queue-based processing model that acts as a built-in protection mechanism. When processing capacity is exceeded, the queue absorbs bursts up to its limit, and overflow conditions naturally cap the impact of misconfigured or compromised assets generating excessive log volumes. That keeps one noisy device from taking down your log pipeline. For production deployment, HUN-REN SZTAKI recommends implementing TCP-based backpressure to provide flow control.