I have ES 4 servers running as such:
In Logstash's output setting for Elasticsearch, do I put the single IP of the client node? Or an array with all 4 nodes?
I think it depends on your indexing rate. If you index like 50 GB a day, then an array of node 2,3,4 or just the client node should be fine. Use Marvel to monitor node health and have a dedicated client node for indexing if you see any slowness on indexing node(s).
If you have more RAM per servers, you can also run multiple ES instances per server. A cluster is more stable if you have 3 dedicated master instances. In my case I have 3 master instances with heap size 4 GB each.
I even use a master node with 4 GB heap size to serve Kibana requests without any issues so far.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.