Where will E L K and filebeat reside

0
votes

I am working in a distributed environment.. I have a central machine which needs to monitor some 100 machines. So I need to use ELK stack and keep monitoring the data.

Since elasticsearch, logstash,kibana and filebeat are independent softwares, i want to know where should i ideally place them in my distributed environment.

My approach was to keep kibana, elasticsearch in the central node and keep logstash and filebeat at individual nodes.

Logstash will send data to central node's elasticsearch search which kibana displays it.

Please let me know if this design is right.

1
elasticsearchlogstashelastic-stackfilebeat

1 Answers

0
votes

Your design is not that bad but if you install elasticsearch on only one server, with time you will face the problem of availability.

You can do this:

  1. Install filebeat and logstash on all the nodes.
  2. Install elasticsearch as a cluster. That way if one node of elasticsearch goes down, another node can easily take over.
  3. Install Kibana on the central node.

NB:

  • Make sure you configure filebeat to point to more than one logstash server. By so doing, if one logstash fails, filebeat can still ships logs to another server.
  • Also make sure your configuration of logstash points to all the node.data of your elasticsearch cluster.

You can also go further by installing kibana on says 3 nodes and attaching a load balancer to it. That way your load balancer will choose the instance of kibana that is healthy and display it.

UPDATE

With elasticsearch configured, we can configure logstash as follows:

output {
    elasticsearch{
        hosts => ["http://123.456.789.1:9200","http://123.456.789.2:9200"]
        index => "indexname"
    }
}

You don't need to add stdout { codec => rubydebug } in your configuration.

Hope this helps.