Hello,
I would like some advices / tips about my idea to upgrade the elk stack we are using.
At this moment, we have elasticsearch 6.3.0, kibana 6.3.0, logstash 6.3.0 and curator 5.6.
4 nodes :
Node 1 is elasticsearch, kibana, logstash and curator, it's a data, master and ingest node on site A
Node 2 is elasticsearch and master on site A
Node 3 is elasticsearch and master on site B
Node 4 is elasticsearch and data on site B
No problem with replication of shards.
We are using elk stack to centralize our windows logs and some linux servers.
Winlogbeats and filebeats are the most used beats. We have more 400gb of logs, so it's a little environment.
The first thing I have to do is to upgrade to the last version (6.6.2) and extend the drives, I have done a test with another cluster, it's OK.
But I was thinking to perform another tasks to perform this stack and I'm looking for some tips/ideas :
- https, easy or not ? We have a pki; possible to send data to http until I change to https on each beat ?
- no problem to have logstash on site A, and another logstash on site B, and all of them send data to the same elasticsearch data ?
- possible to have two kibana ? How to handle this ?
- good idea to separate logstash from elasticsearch ?
- possible if servers on site A send data to elasticsearch on site A, and servers on site B send data to elasticsearch on site B ? I don't think it's a good idea, the cluster will always replicate data on other node, I'm just wondering about this idea
- elastalert, I would like to use this to send alert. We have just to run docker to use this ?
If you have others ideas, don't hesitate to share with me 
Thanks