ELK Architecture Questions

fsa317 · April 8, 2016, 4:17pm

Hi, I'm relatively new to ELK and have some specific questions about the overall architecture.

In a typical ELK stack by the time log data is in ES does it need to be in a specific schema so that it can be read by Kibana?

The reason I ask is I have a very specific architecture where I want to insert log data from log4j directly into ElasticSearch without LogStash. I also want the data once it is in ES to be viewed by Kibana OR by a custom application that would read from ES directly. What I haven't been able to understand is whether or not there is in essence a required schema in ES.

Any tips to help me clarify these questions are appreciated.

warkolm · April 9, 2016, 7:07am

Preferably yes, but KB will still work.

Look into templates - Index templates | Elasticsearch Guide [8.11] | Elastic

fsa317 · April 11, 2016, 11:48am

Thanks, are there pre-defined templates for use with Kibana or generally when using ES to store log data?

warkolm · April 11, 2016, 9:04pm

You can look at the Logstash one - https://github.com/logstash-plugins/logstash-output-elasticsearch/blob/master/lib/logstash/outputs/elasticsearch/elasticsearch-template.json