Advice for new deployment?


Hi all. We're looking to start using the Elastic Stack in our systems, and while I've messed around with it personally in the past and know all of the basic concepts and ideas, the one sticking point right now is Logstash, specifically with regard to OS choice. Normally, all of our servers are built with Windows, though we have a few Linux boxes specifically be stipulation of one of our vendors. Getting new Linux boxes approved is like herding nip-crazed cats in a bird sanctuary. I know from the support matrix that Logstash is officially supported on Windows Server 2012 R2 (which is our preferred OS), but I can't seem to find any recent documentation anywhere about how to get it to run on there, at least without using NSSM. NSSM is a handy tool, but we're unfortunately a risk-averse enterprise, so an obscure open-source tool has as much chance of getting approved for a Production server as Hillary giving Trump a hug.

We really only need to use Logstash for the applications running on our Linux boxes, though. We have 18 such servers that all have pretty high throughput (roughly a quarter-million real-time transactions per day per server). What should an ideal Logstash deployment look like for this? Should we put an instance of it on each Linux server, since running it on Linux is obviously more openly supported than Windows? Is there a source of Windows documentation out there somewhere whereby we could set up and run a dedicated Logstash server? Any other thoughts?

Thanks in advance for any advice y'all can offer.

(Magnus B├Ąck) #2

I'd probably run Filebeat on all Linux boxes to collect the logs and ship them to Logstash instances running on one or a couple of the Linux servers. It doesn't sound like the load is going to tax the machines significantly. Logstash is less tested on Windows and fewer people run it there so choosing Linux is the low-risk option (using terminology that your PHBs would understand).

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.