I want guidance as to following architecture. This is for my studies and is not in enterprise production use. I, however, wish to leverage this as a long term deployment. Hence I am running the architecture through experts within the community.
I am hoping to deploy Elasticsearch on two nodes: Primary node will always be powered on with data (storage is running in RAID-0) and network (dual NIC) resiliency. This node will only have elasticsearch installed along with logstash. This node has an Intel Celeron processor with 4 GB RAM running Ubunutu server 18.04.4 LTS. Logstash is configured to use 512 MB RAM. All the log source will communicate only to this (primary) node.
The second node is my laptop, which will be part of the cluster but will be shutting down as and when I am not using the laptop. This node has i5 with 32 GB RAM and is running on Windows. It will have Elasticsearch and Kibina installed. I need this to ensure I can work with data once I am in class.
Whenever a new log source is added, the laptop will be available for the log source to create Kibana Index. I have made sure all Index (indices) have single shard with multiple two replica's.
I am doing this primarily because, as a student, I cannot afford a dedicated system with high compute and memory for ELK deployment. Secondly, as part of my research and presentations, I need the data in a mobile form (without the need for VPN all the time.)
I have only a few log sources to play with, and these include Raspberry Pi's sending Syslog running different services such as DNS, VPN and SSH honeypot.
I have attached a deployment diagram if it helps.
I would kindly request members of the community to highlight if they see major resiliency faults in the system and mitigation if feasible.
I will be using latest version of all the software's installed.
Thank you very much!