Logstash Monitoring - Core Operations

I have a question related to slide 452 in core operations . It mentions as below

configure your Logstash nodes to send metrics to your
production cluster (not your Monitoring cluster):
452
xpack.monitoring.elasticsearch.url: "http://PRODUCTION:9200"
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "changeme"

As a best practice for monitoring ES prod machines, it is recommended to have a dedicated monitoring cluster so that metrics from different cluster can be shipped from prod machines and stored in a separate machine for various advantages. but however for logstash monitoring , it is mentioned to send the logstash metrics to ES prod machine than the monitoring cluster. Its confusing. Can you please explain the reasoning

Yes, this can be a bit confusing. By sending the logs to the Production cluster, that Production cluster will actually forward the data to the monitoring cluster. This will result in the Logstash monitoring data showing up as part of your Production cluster in Kibana.

If you would not do that, that Logstash data would show up in Kibana under a separate "monitoring" cluster.

The docs have a bit more info: https://www.elastic.co/guide/en/x-pack/current/monitoring-logstash.html (step 2).

Thanks for the explanation

The intention of having a dedicated server is not to load the production data with metrics or not to disturb it. So if we store this(logstash) metrics in prod server and x pack monitoring agents ships them to dedicated server wont it data duplication too in both prod and monitoring servers?

The intention of having is a dedicated monitoring cluster is to make sure the monitoring data available when the Production cluster goes down. The Production cluster being down would otherwise cause you not to be able to access the monitoring data, if you would store all of it in the same cluster.

The Logstash monitoring data will actually not be stored in the Production cluster. The Production cluster will forward it to the monitoring cluster, where the data will be stored. There is no data duplication.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.