I'm indexing Apache logs sent with filebeat (around 3000 documents per day). Although low amounts of data is still was using up all the CPU it could get:
Turns out it was a configuration problem:
I had started logstash as root at one point which changed the ownership of a lot of files.
This post was very helpful with identifying that, but in the end I was forced to backup my conf.d folder, then remove logstash with apt-get remove --purge, and finally remove all the configuration files.
Then, it still did not start, but now it threw another error at me. My SSL key was not readable by the logstash user. Moving that away from /etc/ssl/private to a directory below /etc/logstash/ and giving ownership to the logstash user solved that problem.
Now I can run logstash on one worker instead of 4 and the CPU is barely working. Hope that helps someone else!