Hey everyone,
we are still on version 8.x, since we still have selfmonitoring enabled, but we want to move to version 9 as soon as possible.
For now we want to switch to agent based monitoring (AutoOps is a possibility we will look at). Our problem is that we do not fully understand the differences or use cases for cluster vs node mode.
About our cluster: in the first step we will have only 3 hot nodes in the cluster (all master eligible) - we plan with a 4th frozen node in the near future. Kibana and Fleet on separate machines.
- For this relativly small environment, what would be your reccomendation - node or cluster mode?
- in the documentation it says that for cluster mode we need to give "a single endpoint for a distinct Elasticsearch cluster (for example, a load-balancing proxy fronting the cluster that directs requests to the master-ineligible nodes in the cluster". Would this work if we do not have a load balancer in between - can we simply enter the address of one of the nodes? And why do I need to target it to a master-ineligble node? What if we only have master-eligible nodes at the moment, would this mean that we cannot use cluster mode?
- Is our understanding correct that in node mode all nodes will try to collect the cluster metrics from the elected master node and in our case would tripple the workload for the master node? Will this data be "deduplicated", or will the cluster metrics be saved by all the nodes?
- How can I create redundancy, especialy in the cluster node mode for cases where the one monitoring agent is not available?
I hope someone can share some insights to the differences of these modes and guide us in the right direction - since we are in the middle of the rollout of Defend to all our endpoints, there are some features in 9.x that I really would like to get as soon as possible...
Best regards and greetings from Germany,
Tobias