Benjamin Kušen
January 11, 2024

Optimizing Your ELK Stack: 7 Ways To Better Production

Want to optimize your ELK stack? Here are seven ways to do so.

The ELK stack comprises four open-source projects: Elasticsearch, Logstash, Kibana, and Beats managed by Elastic. Elasticsearch is used for the search and analysis of all types of data and provides real-time data analysis features. Logstash gathers data from multiple sources, transforms the incoming data, and shares the output with elastic search for further analysis. Kibana allows us to visualize the data in elasticsearch and also monitor the ELK stack.

Beats is a lightweight mediator that gathers data from different machines and shares it with elasticsearch and logstash. ELK stack provides a scalable solution but deploying and maintaining the stack in a production environment comes with its own challenge. To get the most out of ELK stack we need to be aware of the deployment challenges and what we can do to address these challenges. This article will highlight the possible approaches to deal with various challenges.

1. Prevent Data Loss: The Buffering Approach

In EKS elasticsearch and logstash both are vulnerable to heavy traffic. There will be multiple scenarios like the holiday season, Christmas, or other events where heavy traffic is expected. In these situations, it is most likely possible for elasticsearch and logstash to experience downtime. In the usual setup, data is gathered by Firebeat before it is transferred to logstash and elastic search.

When data is transferred directly to elasticsearch and logstash in case of downtime data loss can be experienced. To avoid these situations we can add a buffer when transferring data from Firebeat. There are two ways to do that either by using kafka or a temporary file.

Apache Kafka is the most commonly used buffer in such situations. Filebeat inputs the data to Kafka and data stays there and is transferred at a manageable rate to Elasticsearch and Logstash. In cases when Elasticsearch and Logstash experience downtime, Kafka holds the data and sends the backlog again once the system is restored. This way we can prevent data loss using Kafka. However, there’s a downside to using Kafka as it requires continuous monitoring and scaling.

To avoid the additional processing time we can use a temporary file system to hold the data Elasticsearch and Logstash can’t handle. The file system approach requires additional disk space and won’t give real-time updates. Both Kafka and filesystem approaches can be used to prevent data loss and provide a resilient way to protect the data in ELK components.

2. Split the Elastic Stack into Components

A scalable Elastic stack is crucial for the overall success of the system. This can be ensured by carefully distributing the core components of the ELK stack. Using a single cluster to build all four components can hinder the scalability and flexibility of the overall system. All of these individual components have different requirements, for instance, Kibana is an interface component and it needs fewer resources while Logstash processes and transforms the data and needs more CPU and memory. Similarly to handle large data Elasticsearch requires more storage space. 

By deploying these components on individual clusters we can ensure that these won’t compete against each other for resources. Also, individual clusters can easily be scaled up and provide more flexibility. All these components can deliver the required results without interfering with each other.

3. Harness the Power of Dedicated Master Nodes

In a cluster master nodes perform tasks such as adding and removing nodes, health monitoring, and assigning shards. For master nodes to perform these operations it is advised to assign a dedicated server to them in a cluster. This provides the master nodes with sufficient CPU, memory, and storage to perform their tasks.

By having a designated master node in an EKS cluster we can improve the stability of the cluster. The master nodes will be responsible for managing the cluster’s state and coordinates with worker nodes. It is recommended to have at least one master node with an option to add more nodes. To ensure the high availability of the cluster it’s recommended to have three dedicated master nodes in a cluster to build a redundancy system.

This distributed approach makes sure that in case of any unforeseen events like maintenance issues, sudden failures or updates multiple master nodes keep the system alive and prevent downtime.

4. Review the Security of the EKS Cluster

The security of the EKS cluster should always be a high priority. The logs might contain sensitive information that can cause massive data breaches if mishandled. We have seen high-profile data breaches experienced by Microsoft and Decathlon in the past due to insecure pipelines. 

To make the Elastic stack components secure make sure it is up-to-date and has the necessary security features enabled. To ensure the secure EKS cluster user authentication and access controls should be implemented. The common authentication methods implemented by EKS are token-based authentication, basic authentication and single sign-on with SAML or OpenID connect. Custom authentication methods can also be developed and added to the Elastic stack. The encryption mechanism also provides a secure method for communication between Elastic stack components.

In case a hacker gets access to a physical cluster the encryption won’t allow the attacker to read or use any data. Make sure to use strong encryption methods and use regularly rotated keys. Regular monitoring of audit logs helps to identify any outlier user activity and it also reveals any unusual system event. This helps in reducing the risk of potential attacks. By disabling unnecessary elasticsearch features and enabling configurations to listen to private interfaces can also provide additional security.

In Logstash pipeline filtering and masking sensitive data can help to protect sensitive information. In Kibana reverse proxy techniques can be used along with session timeout and secure cookies to prevent outside attacks. 

5. Implement Index Lifecycle Management Policies

Managing indices in Elasticsearch is a critical and often challenging aspect of operation, as it dictates how your data is stored and managed throughout its life cycle.

In elasticsearch defining how data will be stored and managed is a critical step. Often managing indices is considered challenging during deployment. As a default hot tier nodes are used for storing data that needs frequent access. You can use a custom approach to break it further into tiers like warm, cold, and frozen data as per your requirements. This will also delete the outdated data automatically.

In elasticsearch index lifecycle management policies can be implemented to provide automated transitioning of indices across tiers and define policies on phase level.

Let’s look at Hot-Warm-Cold architecture and how data moves in this architecture.

  • Hot nodes are optimized for high performance as they deal with new data. These use robust storage for fast read and write operations.
  • Warm nodes handle data that is less frequently accessed and provide cost-effective storage.
  • Cold nodes store data that does not require updates and is not frequently accessed. 
  • Frozen nodes use searchable snapshots for long-term retention of rarely accessed data. This provides a cost-effective solution to deal with the least used data.

6. Use Infrastructure as Code Approach

To improve the efficiency of Elastic Stack it is recommended to automate the deployment and configuration of all components using infrastructure as code tools like Ansible or Terraform. By automating the manual resource management process the possibility of errors can be significantly improved.

The goal is to track the configuration elements such as schemas, YAML files, and Logstash rules in a version control-based system. This allows us to audit the changes and know the problem areas in case of errors. The CI/CD approach can help to test the system before deploying the components to production.

7. Continuous Monitoring of EKS

Managing the Elastic Stack presents various challenges, including the potential for data loss and performance issues that can hinder troubleshooting in business-critical applications. Consistent monitoring of EKS clusters is crucial to ensure that all components are running smoothly. This way we can avoid the risks of data loss and can improve the performance by identifying the issues earlier. To ensure monitoring it is recommended to monitor the logs and metrics of the ELK stack in a separate cluster to avoid data loss in case of downtime.

This added layer of monitoring introduces more data to collect, additional components to upgrade, and extra infrastructure to manage, thereby increasing the overall complexity of the system. Therefore, the setup should be designed to minimize complexity while providing comprehensive insights into the health and performance of the Elastic Stack. The monitoring layer can further complex the architecture so it should be set up in a way to deliver the insights with minimum complexity. For this Better Stack can be used which provides a log management service. This can collect the elasticsearch logs automatically and these parsed logs can be analyzed further to monitor cluster activity. Once you're collecting all your Elasticsearch metrics and logs in one place, you can set up custom dashboards to provide complete visibility into your clusters' health and performance, and quickly investigate potential issues.

By gathering logs and metrics associated with elasticsearch in one place a dashboard can be set up to visualize the cluster performance and identify potential issues. Better Stack provides features to monitor the elasticsearch metrics and generate alerts when issues are detected. These alerts will help to timely make informed decisions. 


The process of optimizing the Elastic Stack depends upon the use cases and limitations of a project. The strategies discussed in this article will help you improve the performance of your Elastic Stack in the production environment. The optimized solution can be achieved by continuously trying and improving the processes. To further expand your knowledge on this topic I suggest using learning resources by Elastic. 

Happy Learning!

Facing Challenges in Cloud, DevOps, or Security?
Let’s tackle them together!

get free consultation sessions

In case you prefer e-mail first:

Thank you! Your message has been received!
We will contact you shortly.
Oops! Something went wrong while submitting the form.
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information. If you wish to disable storing cookies, click here.