Hi,
In our setup we are collecting log files using Filebeat and sending these into Logstash for filtering/enrichment then onto Elasticsearch. This is working as intended (although having some unrelated issues with ILM 
). We are also looking to ship metrics into the stack using Metricbeat (Internal ES metrics, MySQL, Postgres, Nginx, HAProxy etc...).
My understanding is that we will need Ingest Nodes to archive this. I'm toying with the idea of running an ES Ingest node on the same physical server as Logstash but can't decide if this is the right approach VS adding the ingest role to our "hot" data nodes. I like the idea of Logstash/Ingest being on the same server from an architectural view, however I wonder what the performance impact would be of adding another 2 Elasticsearch nodes?
A simple overview of our setup is below:
3x es-master nodes
3x es-hot data nodes (10 core / 20 thread | 64GB RAM | SSD Storage)
3x es-warm data nodes (10 core / 20 thread | 64GB RAM | HDD Storage)
3x es-coordinator/kibana nodes
2x logstash servers (10 core / 20 thread | 32GB RAM | HDD Storage)
Is running Logstash and an Elasticsearch ingest node on the same server a reasonable suggestion or would the ingest role be better suited to our data node servers? Advice/suggestions/discussion appreciated and welcomed.
Thanks