Logstash consuming too much bandwidth

Elastic Stack Logstash
1

Hello,
I am sending logs from filebeat to Logstash and then from logstash to ElasticSearch.
The problem is Logstash is consuming too much bandwidth.I have attached network usage graph of logstash server.
(green is incoming from filebeat)

50%20PM
Screenshot 2019-07-15 at 11.20.50 PM.png1220×532 32.7 KB

In the starting I am just writing to file on Logstash server instead of sending to ElasticSearch.You can see the incoming rate.Then when I turn on ElasticSearch output.The incoming rate decreases and also outgoing is 10 times more data.
Can anyone help please.What configurations changes or hardware improvements should I make?

2

You may want to enable http_compression for the Elasticsearch output if you have not already.

3

Thank You for the reply
But why is my incoming data rate reduced when elasticsearch output is enabled?

4

Maybe Elasticsearch is not able to keep up, which results in back pressure being applied?

5

Currently I have 1 ingest node,1 master node and 2 data nodes.
I added persistent queues in logstash of 30 gb.They gets filled up quickly.
So the reason is mostly back pressure by ElasticSearch.
Do you have any suggestion how do I handle this?

6

I would recommend adding resources to the Elasticsearch cluster. What is the current hardware specification?

7

Ingest node:

Model name: Intel(R) Xeon(R) Platinum 8124M CPU @ 3.00GHz
Stepping: 3
CPU MHz: 3000.000
BogoMIPS: 6000.00
Hypervisor vendor: KVM
Virtualization type: full
L1d cache: 32K
L1i cache: 32K
L2 cache: 1024K
L3 cache: 25344K

Ram : 3.549 GB

Total disk : 31 GB

Data Node(2 x):

Ram : 31.548 GB
Total disk : 2.3 TB
Master Node

Ram : 3.549 GB

Total disk : 31 GB

8

Any suggestion?

9

Look at the logs @18:04, when the lines crossed. How many events per second were ingesting before that time?

I think you need to determine if you have an ingest error condition before assuming it's a capacity issue.

10

How do I check how many events ingested at that time ?

11

Kibana monitoring, if you had it enabled.

12

Hey,
I enabled http_compression on logstash.
Now that machines network monitoring looks like this

26%20PM
Screenshot 2019-07-29 at 7.59.26 PM.png1162×444 31.8 KB

The graph is MiB per minute
Green is receiving and yellow is transmitting.I don't understand why it is exactly asymmetric.I have done speed test on this machine and it can give speed upto 500 Mb/s download and 500 Mb/s upload speed.

13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.