Hello Everybody !
I started to use ELK in my company, at first to be able to get a look at windows logon informations then members of security groups activity, etc...
I installed one node on Centos 7 (VM) with 2 CPUs (Virtual sockets) and 8 Go RAM.
ELK was installed with the default configuration, I only set the basics to get it work.
Of course after digging a little bit, I found out ELK to be very usefull, so I started to send more logs into it (netflow, winlogbeat), and now we are asked to monitor network activity on some PCs (so I used Packetbeat), etc...
I did manage for winlogbeat and packbeat to send to ELK only the necessary (only the events needed and only the traffic from/to the IPs needed) , but recently I added 2 more netflow logs and now my node is at 100% CPU usage, it seems that it is to much for it...
Since it's in "production" and that it will grow because I want to developp the use of ELK in my company.
I need advices on my configuration and what to do in the futur (cluster, how many nodes ? do I need Redis ? etc...).
I need to know the best practice for the use of netflow codec, csv, geoip, etc and other filters, If there is some tools to monitor logstash I/O, and if you have some tips and how you guys work with ELK to get it working fast and efficient (or any other tips that is usefull), if there is some kind of limits to logstash or elasticsearch ?
I know that there is a lot of informations on internet and that google is my best friend, but I already spent a lot of time starting from zero to get where I am, and sometimes it's hard to understand everything I read... So maybe if we can discuss about that it will help me understand better and found the informations I need to evolve !
At the same time if you have some links that can be good for a newbie to read, it will be appreciated !
thanks !