Can SME's for Beats-Elastic chime in on this: what are the pros/cons that would help decide whether to deploy a single index vs. per-device index?
Effort required to set up on single vs. per-server?
Risks of using a single index?
In the interest of not feeling more pain down the road we'd like to make the right decision upfront...
Per device? So each server would have it's own index? Bad idea.... Very bad... I think this is the latest way An introduction to the Elastic data stream naming scheme | Elastic Blog
A per-device index approach was always a bad idea as it can lead to a cluster having many small indices.
Now with Elastic Agent and integrations it is even a worst idea as it would add a lot more of complexity to even get the logs in the cluster.
I would say that the way to go now is to use the Elastic Agent integrations when possible as it will keep the size of the shards close the recommendations (50 GB per shard).
If it is not possible to use Elastic Agent integrations, then you should try to use data streams and Index Lifecycle Policies to keep the shard sizes close the recommendations.
Of course, there would be no problem to group your devices into smaller parts, like store the data of all AD servers in the same index and things like that.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.