Currently i have one cluster of LogStash nodes ,and fronted by a load-balancer with a fully qualified domain name. For the logstash configuration, i allows all beats to pipe their logs into a single port (by default its 5044)
My question is, is there any good practices on how logstash should be architect? Especially when it start to scale, having a single logstash might not be the best way to go.
Some options i was pondering
- Have multiple logstash cluster handling different beats/system inputs
- Have multiple ports within Logstash to handle different beats/system inputs
Advice/comments are appreciated! Thanks!