Dedicated Logstash Cluster

Andy · July 4, 2018, 1:14pm

Hi there,

currently I am using Logstash and the GELF plugin to send logfiles to Graylog.

So: Logstash -> GELF -> Graylog

Basically it works, but sometimes Logstash goes crazy and consumes almost all CPU resources - which is particularly bad on the production system. One reason for sure are very complex grok filters.

To take some load off the production machines and make them immune to Logstash hickups I’m thinking about makind a dedicated Logstash cluster.

So something like this:
Filebeat -> Logstash Cluster -> GELF -> Graylog

Question is: Shoud I put a message broker, e.g. Kafka or RabbitMQ, inbetween?

For example:
Filebeat -> Kafka -> Logstash Cluster -> GELF -> Graylog

Is there kinda reference architecture out there? It should be a fairly common problem and I don’t wanna reinvent the wheel.

cheers,
Frizz

jochen · July 4, 2018, 1:30pm

Why not get rid of Logstash altogether? Graylog has a Beats input.

Filebeat (or any beat) --(Beats protocol)--> Graylog

Andy · July 4, 2018, 1:49pm

Because I have lots of Logstash configuration files with complex filter definitions (grok, etc…).

I don’t wanna use Graylog extractors to do the (grok) filtering because
(a) there are lots of existing Logstash config files and it would be a huge effort to re-write them in graylog extractors.
(b) I’d have to upscale my graylog cluster (currently 3 nodes) to n nodes so that it can handle the additional grok filtering nodes. imho its cleaner from an architectural point of view to have a separate Logstash cluster to do this.

What do you think?

jochen · July 4, 2018, 2:25pm

Both options you’ve suggested in your original post are viable and each has some advantages and disadvantages over the other.

FWIW, I’d go with the option with the least number of moving parts (i. e. Filebeat → Logstash → Graylog).

Andy · July 4, 2018, 2:43pm

OK, understood. But to use multiple Logstash nodes I’d need some kind of load balancing inbetween, right? Maybe HAProxy or nginx?

So Filebeat -> LB -> Logstash(n nodes) -> Graylog

jochen · July 4, 2018, 2:50pm

Filebeat supports load-balancing with its Logstash output.

system · July 18, 2018, 2:50pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Adding Graylog to already existing ELK stack Graylog Central (peer support)	5	5582	March 26, 2018
Logstash -> F5 Load Balancer -> Graylog cluster persistence issue Graylog Central (peer support) sidecar , nxlog , nodatanx	9	2937	March 29, 2017
How to configure graylogs from logstash output Graylog Central (peer support)	3	9159	March 12, 2019
GELF UDP plugin configuration Graylog Central (peer support)	4	746	March 26, 2019
Filebeat -> Logstash -> Graylog (all SSL secured) Graylog Central (peer support)	10	3520	April 16, 2019

Dedicated Logstash Cluster

Related topics