Suggestion improving filebeat performance

max_dodo · October 27, 2017, 4:28am

My ELK setup goes like :
Filebeats --> Logstash(ingest nodes) --> Elasticsearch ( master + Datanodes ) --> Kibana

Recently we are observing a huge amount of delay in logfile ingestion ( 4 ~ 5 hr) . From the capacity perspective we have added enough horsepower ( large-machines: 10+ ingestnodes, 15+ datanodes ) . Per day total log size reaches upto 900gb. Multiple applications generating huge amount of logs.

Note- on a daily basis around 100+ logfiles are generated on a single server, each of 500mb size.

Our filebeat configuration is as below. Please suggest if anything can be modified or added to take care of this performance issue.

filebeat.prospectors:

paths:
- /<log_path>/application*.log
fields:
level: debug
review: 1
json.keys_under_root: true
json.overwrite_keys: true
harvester_buffer_size: 16384
scan_frequency: 5s
document_type: <document_type_name>
registry_file: .filebeat
spool_size: 20480
tail_files: false
idle_timeout: 5s
input_type: log
max_backoff: 10s
max_bytes: 10485760

logging:
files:
keepfiles: 5
name: filebeat.log
path: /var/log/filebeat-logs
rotateeverybytes: 10485760
level: info
to_files: true
to_syslog: false

output.logstash:
hosts:
- "VIP-address:port"

magnusbaeck · October 27, 2017, 9:57am

Start by analyzing the whole pipeline and figuring out where the bottleneck is. Looking at the CPU load on the machines should give you an indication. Is the load distributed reasonably evenly across the Logstash hosts?

max_dodo · October 27, 2017, 3:29pm

Thanks for the response Magnus, Checked the whole ELK pipeline, there is no concern about the resource utilization on any of the nodes ( LS, DN, MN ) - CPU utilization hovers from 5-10% and MEM utilization is also normal.

We notices few things

there are multiple json parsefailures which we see in the logstash nodes
the number of logfiles opened by the filebeat is large on each client nodes ( Harvester started for file )

Can any of these cause the delay in ingestion of logfiles ?

system · November 24, 2017, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
After upgrade to 5.6.3 Logstash processing much slower Logstash	1	616	November 24, 2017
Insufficient throughput from Filebeat Beats filebeat	18	10482	July 5, 2017
Filebeat - Log Processing Issues/Delay/Data Loss Beats filebeat	0	46	October 16, 2024
Slow performance Logstash/Filebeat Beats filebeat	7	1282	October 14, 2022
Filebeat performing better when reading multiple files rather the a single file Beats filebeat	3	931	May 12, 2020

Suggestion improving filebeat performance

filebeat.prospectors:

Related topics