在Logstash Elasticsearch输出插件和Kibana中最好配置哪个Elasticsearch节点

Question

I have ELK stack with Elasticsearch, Logstash and kibana installed on 3 different instances.

Now I want to make 3 node cluster of Elasticsearch.

I will make one node as master and 2 data nodes.

I want to know in logstash config

elasticsearch {
    hosts => "http://es01:9200"

Which address I need to enter there master node or data node. and also if I have 3 master nodes then which address I need to write there.

similarly in kibana , I use

elasticsearch.url: es01:9200

In cluster env which url I need to use?

Answer 1

In general, the answer depends on your cluster data size and load.
Nevertheless, I'll try to answer your questions assuming the master node is not a data eligible node as well. This means it only takes care for cluster-wide actions such as creating or deleting an index, tracking which nodes are part of the cluster, and deciding which shards to allocate to which nodes. For this purposes, it is very recommended to have your master node as stable and less loaded as possible. So, in your logstash config I would put the addresses of your two data nodes as follows:

elasticsearch{
    hosts => ["http://es01:9200", "http://es02:9200"]
}

This confirmation maximize performance and fault tolerance as your master do not contain data and if one node failes it will continue to work with the other.

Please note that it is very recommended to have at least 3 master eligible nodes configured in Elasticsearch clusters since if you are loosing the (only) master node you loose data. 3 is to avoid split brain

Regarding kibana, since all nodes in the cluster "knows" each other. You basically can put any address in the cluster. But, for the same reasons as above it is recommended to fill one of your data nodes addresses.

For further reading, please refer to this documentation.

Hope I have managed to help!