Hello
I'm looking for some advices about my elk stack before upgrade to 6.8, then to version 7.
I'm in 6.7.1 version, I use ELK to agregate windows logs from differents server (DC, DNS, software logs etc...). Few linux but it will grow up with auditbeat.
I have 4 nodes, config is the following :
site 1 :
A : master
B : master+ingest+data (+kibana+logstash+curator)
site 2 :
C : master
D : ingest+data
B replicates datas to D, I have configured snapshot volumes and I use curator to do a snapshot of kibana indices every days.
Here what I think about my stack :
-
Install a second kibana on site 2. But is it possible to have a load balancing between the 2 kibana when they are not in the same network ?
-
Install a node E with data role in the goal to have a third replication. The idea is to remove this node before upgrade to a new version.
-
The size of my data is 600gb, I have ~60 go per day and I delete everyday old indices with curator, so if I configure snapshot to backup this, does I need really storage for 600gb + 60gb every day ? is that correct ?
possibe to have a second logstash ie on site 2 ? In case of a failure of the main logstash ?
Any other tips about my stack ? move logstash to a lonely server maybe ?
Thank you for your advices and experience of this useful software 