Possible to loadbalance Logstash via DNS?

I have a number of remote instances of Logstash that send logs over https to an Elasticsearch cluster.
I'm looking to find a way to loadbalance the requests across the nodes in the cluster ideally without having to specify separate subdomains for each and list them.
I'd have https://elk.mycluster.com with 2 DNS A records that point to and and the DNS provider will round-robin the requests across each.

That's rather than setting up a DNS of:
https://elk1.mycluster.com for
https://elk2.mycluster.com for
and setting the logstash output to use multiple targets like:

  elasticsearch {
    host => ["https://elk1.mycluster.com", "https://elk2.mycluster.com"]

What's the right way to go here?

Not sure it could work in your setup, but you could provide Logstash with a single host and use the sniffing parameter to have it auto-populate the list with all the hosts participating in that cluster.

Then Logstash would take care of the load-balancing itself.

Thanks Paris, are you able to say more about why it won't work? Just interested to understand before I change the architecture.


Off the top of my head, the 2 major concerns would be:

  1. Having dedicated master-eligible nodes in your cluster.
    Those nodes cannot handle bulk indexing requests but they are still included in the hosts list produced by the sniffing parameter.
    However, you need to explicitly define some nodes as master-eligible, so if you haven't, your nodes are most likely both master + data nodes and you should be fine.

  2. I'm not sure whether the sniffing option will return the IP of each node or it's hostname. If the latter, you should still need DNS resolution, so it might not be much easier it is than your initial idea.

Edit: By "initial idea" I mean having separate DNS records for each node and passing them onto the hosts lists. In any case you don't need any for of load balancing in front of your cluster, since Logstash will do that itself for all provided hosts.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.