Dedicated Logstash Cluster

Precision · July 4, 2018, 1:16pm

Hi there,

currently I am using Logstash and the GELF plugin to send logfiles to Graylog.

So: Logstash -> GELF -> Graylog

Basically it works, but sometimes Logstash goes crazy and consumes almost all CPU resources - which is particularly bad on the production system. One reason for sure are very complex grok filters.

To take some load off the production machines and make them immune to Logstash hickups I’m thinking about makind a dedicated Logstash cluster.

So something like this:
Filebeat -> Logstash Cluster -> GELF -> Graylog

Question is: Shoud I put a message broker, e.g. Kafka or RabbitMQ, inbetween?

For example:
Filebeat -> Kafka -> Logstash Cluster -> GELF -> Graylog

Is there kinda reference architecture out there? It should be a fairly common problem and I don’t wanna reinvent the wheel.

magnusbaeck · July 5, 2018, 5:19pm

Shoud I put a message broker, e.g. Kafka or RabbitMQ, inbetween?

That's a good idea if you're planning on running multiple Logstash instances. That way each Logstash instance can all pull messages at its own pace.

system · August 2, 2018, 5:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What are the different ways that we can send log messages from log stash server to Graylog server Logstash	2	600	November 22, 2017
Gelf output to Logstash not working Logstash	1	600	August 18, 2020
Trouble sending GELF event - Graylog Logstash	2	618	March 19, 2020
Bad GELF performance Logstash	1	478	August 31, 2018
What is best way to send logstash data to greylog? Logstash	2	631	July 6, 2017

Dedicated Logstash Cluster

Related topics