elk node type doc
This commit is contained in:
220
Monitoring & Logging/ELK/02-Node-Types.md
Normal file
220
Monitoring & Logging/ELK/02-Node-Types.md
Normal file
@@ -0,0 +1,220 @@
|
||||
# ELK Node Types
|
||||
## Overview
|
||||
|
||||
The ELK Stack (Elasticsearch, Logstash, Kibana) is commonly deployed using multiple node types (roles) to ensure scalability, performance, and resilience. This document outlines the main node types used in production-grade ELK deployments from a DevOps perspective.
|
||||
|
||||
---
|
||||
|
||||
## 1. Elasticsearch Node Types
|
||||
|
||||
Elasticsearch nodes can be assigned one or more roles. In production environments, roles are usually separated for stability and performance.
|
||||
|
||||
### 1.1 Master Node (Dedicated Master)
|
||||
|
||||
**Purpose:** Cluster coordination and management
|
||||
|
||||
Responsibilities:
|
||||
|
||||
* Manages cluster state
|
||||
* Controls shard allocation
|
||||
* Handles node joins and failures
|
||||
|
||||
Best Practices:
|
||||
|
||||
* Deploy 3 dedicated master nodes (odd number for quorum)
|
||||
* Do not assign data or ingest roles
|
||||
* Require minimal CPU and disk, but stable memory
|
||||
|
||||
Configuration:
|
||||
|
||||
```yaml
|
||||
node.roles: [ master ]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### 1.2 Data Nodes
|
||||
|
||||
**Purpose:** Store data and execute search and indexing operations
|
||||
|
||||
#### a. Hot Data Node
|
||||
|
||||
* Handles recent and high-traffic data
|
||||
* Requires fast SSD storage
|
||||
* Heavy indexing and querying workload
|
||||
|
||||
```yaml
|
||||
node.roles: [ data_hot ]
|
||||
```
|
||||
|
||||
#### b. Warm Data Node
|
||||
|
||||
* Stores less frequently accessed data
|
||||
* Moderate CPU and disk requirements
|
||||
|
||||
```yaml
|
||||
node.roles: [ data_warm ]
|
||||
```
|
||||
|
||||
#### c. Cold Data Node
|
||||
|
||||
* Stores rarely accessed data
|
||||
* Optimized for cost efficiency
|
||||
|
||||
```yaml
|
||||
node.roles: [ data_cold ]
|
||||
```
|
||||
|
||||
#### d. Frozen Data Node
|
||||
|
||||
* Archival data with searchable snapshots
|
||||
* Minimal local storage requirements
|
||||
|
||||
```yaml
|
||||
node.roles: [ data_frozen ]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### 1.3 Coordinating Node
|
||||
|
||||
**Purpose:** Query routing and result aggregation
|
||||
|
||||
Characteristics:
|
||||
|
||||
* No data storage
|
||||
* No master role
|
||||
* Acts as a load balancer for search requests
|
||||
|
||||
Use Case:
|
||||
|
||||
* Kibana and client applications connect to coordinating nodes
|
||||
|
||||
```yaml
|
||||
node.roles: [ ]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### 1.4 Ingest Node
|
||||
|
||||
**Purpose:** Data preprocessing before indexing
|
||||
|
||||
Responsibilities:
|
||||
|
||||
* Executes ingest pipelines
|
||||
* Performs grok parsing, enrichment, geoip, and transformations
|
||||
* Reduces load on data nodes
|
||||
|
||||
```yaml
|
||||
node.roles: [ ingest ]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### 1.5 Machine Learning Node
|
||||
|
||||
**Purpose:** Run machine learning jobs
|
||||
|
||||
Use Cases:
|
||||
|
||||
* Anomaly detection
|
||||
* Advanced analytics
|
||||
|
||||
```yaml
|
||||
node.roles: [ ml ]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### 1.6 Transform Node
|
||||
|
||||
**Purpose:** Data transformation and aggregation
|
||||
|
||||
Use Cases:
|
||||
|
||||
* Pivot and latest transforms
|
||||
* Pre-aggregated indices
|
||||
|
||||
```yaml
|
||||
node.roles: [ transform ]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 2. Logstash Node Types
|
||||
|
||||
Logstash does not use formal roles but is deployed based on function.
|
||||
|
||||
### 2.1 Ingest / Collector Nodes
|
||||
|
||||
* Receive data from Beats, syslog, Kafka, etc.
|
||||
* Minimal processing
|
||||
|
||||
### 2.2 Processing Nodes
|
||||
|
||||
* Perform heavy parsing and enrichment
|
||||
* CPU-intensive workloads
|
||||
|
||||
### 2.3 Output Nodes
|
||||
|
||||
* Focused on reliable delivery to Elasticsearch
|
||||
|
||||
---
|
||||
|
||||
## 3. Kibana Node Types
|
||||
|
||||
### 3.1 Kibana Server Node
|
||||
|
||||
* Provides UI and REST API
|
||||
* Stateless and horizontally scalable
|
||||
|
||||
### 3.2 Reporting / Task Manager Node
|
||||
|
||||
* Handles scheduled tasks and reporting
|
||||
* Often separated in large deployments
|
||||
|
||||
---
|
||||
|
||||
## 4. Beats and Agents (Edge Nodes)
|
||||
|
||||
Although not part of the core ELK stack, Beats are critical for data collection.
|
||||
|
||||
Common Beats:
|
||||
|
||||
* Filebeat: Log collection
|
||||
* Metricbeat: System and service metrics
|
||||
* Auditbeat: Security events
|
||||
* Heartbeat: Uptime and endpoint monitoring
|
||||
|
||||
---
|
||||
|
||||
## 5. Typical Production Architectures
|
||||
|
||||
### Small Cluster
|
||||
|
||||
* 3 nodes with combined roles (master, data, ingest)
|
||||
|
||||
### Medium to Large Cluster
|
||||
|
||||
* 3 Dedicated Master Nodes
|
||||
* Hot, Warm, and Cold Data Nodes
|
||||
* Dedicated Ingest Nodes
|
||||
* Coordinating Nodes
|
||||
* Optional ML and Transform Nodes
|
||||
|
||||
---
|
||||
|
||||
## 6. Node Role Summary
|
||||
|
||||
| Node Type | Purpose |
|
||||
| --------------------------- | ---------------------------- |
|
||||
| Master | Cluster coordination |
|
||||
| Data (Hot/Warm/Cold/Frozen) | Data storage and querying |
|
||||
| Coordinating | Query routing |
|
||||
| Ingest | Data preprocessing |
|
||||
| ML | Anomaly detection |
|
||||
| Transform | Data aggregation |
|
||||
| Logstash | Data pipeline |
|
||||
| Kibana | Visualization and management |
|
||||
|
||||
Reference in New Issue
Block a user