Can you answer these ELK questions?

Given the following use case:
Filebeat and Metricbeat installed on 10 centos. Each centos location represents a different customer (tenant):

Topology and authentication

Can we authenticate each feed and make sure that each connection is identified and tied back to a tenant ?
In an ideal world they all talk back to a single connection point in the cloud. Let's say it's something like this...
i. DNS Name:
ii. PORT: 443
Does each device register with the system and identify itself so we can track its information independently?
I guess, each Customer will register with a separate node (=tenant), correct?
Does Elastic Search make sure one device can't impersonate another and hijack their data slot?
Does Elastic Search make sure one device cant contaminate another's data feed, that would be bad?

Can we host multiple customers with multiple systems on a single node?
Or is one node dedicated to one Customer with multiple systems?
Is TLS encryption included, in case we buy 3 or more nodes per year?

Some answers depend on what license level you use, I'll assume at least Gold.

Yes, for example API keys

I'm not sure what you are asking. Assuming you authenticate each feed with a unique user account, then the security would be controlled as to what indices they could read and write. The monitoring interface could be configured to include the beats from each feed.

However, it's sometimes better to use a common index for like data, in the case of common indices, the agent.hostname would be unique for each sending host.

Control this with unique account security.

Elasticsearch is best as a multi node redundant service. Maybe this will help.

TLS is included and recommended. There is a setup for node-to-node communication and a seperate setup for client communication. If you add nodes, you need to add them to the certificates for node-to-node communication.

thanks Len this helps, we will come back as soon as we digest this info

By the way, could you also help us answering these 2 questions?

a. Can we host multiple customers with multiple systems on a single node?
b. Or is one node dedicated to one Customer with multiple systems?

I would say that each customer data could be aggregated into dedicated index within a shard?


Additional questions:

  1. Can we route the comms via our DNS namespace?

  2. For example:

  3. How many nodes are required for 10-12 of our Customers (segregated by unique API key), each having between 2-10 Filebeat and Metricbeat Agents installed on Linux servers?

Cheers, thanks in advance

I understand that:
Each customer devices would share a unique API key –feeds coming from the same API key (whether 1 or 20 devices ) can be aggregated in a) the main index or b) dedicated customer specific index or c) both
Feeds are TLS encrypted end to end.
Feeds can talk to the same DNS hostname: behind this DNS hostname the Logstash component identity API keys, filter and forward to Elastic index/indexes
Nodes depend on amount of data – possibly Elastic have a Sizing document to help calculate this



This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.