We are in process of upgrading our ELK stack to 7.6 and i need suggestions on configuration for network devices ( Big IP LTM ) for example.
The current config has one logstash IP as syslog server , in an event of failure the logs dont reach the Elasticsearch servers
We have tried adding second log-stash as secondary server for syslog however this seems to generate duplicate entries on kibana
Is this a known behavior ? How we can achieve redundancy using two log-stash servers for syslog devices.
Filebeat is working fine.