β Q1 β Explain ELK data flow in real production setup.
Logs are generated by apps or nodes β shipped by agents like Filebeat/Fluent Bit β sent to Logstash (or directly to Elasticsearch) β parsed and enriched β stored in Elasticsearch indices β visualized and queried via Kibana. In Kubernetes, usually DaemonSet shippers are used. Buffering layer like Kafka is added at scale.
β Q2 β When do you use Logstash vs Beats directly to Elasticsearch?
Use Beats β Elasticsearch directly when logs are already structured and simple. Use Logstash when you need heavy parsing, enrichment, grok filters, or routing logic. Logstash adds flexibility but also latency and resource cost.
β Q3 β Log ingestion delay is high β how do you debug?
Check shipper backlog and CPU usage first. Then check Logstash pipeline throughput and queue size. Look for filter bottlenecks like heavy grok patterns. Also check Elasticsearch indexing pressure β slow indexing backs up pipeline.
β Q4 β What is grok filter and why is it risky at scale?
Grok parses unstructured logs using regex patterns. Itβs powerful but CPU expensive. Complex grok on high-volume logs can choke Logstash. Prefer structured JSON logs whenever possible.
β Q5 β Elasticsearch cluster is yellow β what does it mean?
Yellow means primary shards are allocated but replica shards are not. Data is available but not fully redundant. Usually caused by insufficient nodes or shard allocation rules. Itβs a warning, not outage β but risky.
β Q6 β Cluster is red β immediate meaning?
Red means some primary shards are unassigned β data unavailable. Queries will fail for those indices. I check shard allocation, node health, and disk space immediately. This is incident-level.
β Q7 β Elasticsearch disk is filling fast β what controls retention?
Index Lifecycle Management (ILM) policies control rollover and deletion. You define hot β warm β delete phases. Without ILM, indices grow forever. Retention must be enforced automatically.
β Q8 β Too many small indices β why is it bad?
Each index and shard has overhead in memory and file handles. Many small indices waste resources and slow cluster state updates. Better to use rollover strategy with controlled shard count.
β Q9 β What is shard sizing best practice?
Avoid very small or very large shards. Common target is ~20β50 GB per shard depending on workload. Oversharding hurts memory. Undersharding hurts parallelism.
β Q10 β Logs missing in Kibana but present on server β checks?
Check shipper logs first (Filebeat/Fluent Bit). Verify output destination and index name. Then check Logstash pipeline errors. Finally search raw index in Elasticsearch with wildcard query.
β Q11 β Logstash pipeline crashing β how debug?
Check Logstash logs and pipeline config syntax. Run config test mode before deploy. Look for grok failures or mapping conflicts. Enable dead letter queue if needed.
β Q12 β What is mapping conflict in Elasticsearch?
Same field has different data types across documents. Example: status as string in one log, number in another. Elasticsearch rejects documents then. Fix with index templates and consistent log structure.
β Q13 β Structured vs unstructured logs β which is better?
Structured JSON logs are far better. No grok needed, faster parsing, fewer errors. Querying is easier and safer. Modern best practice is structured logging at app level.
β Q14 β How do you scale Elasticsearch cluster?
Add more data nodes for storage and query load. Separate master nodes for cluster stability. Use dedicated ingest nodes if heavy pipelines. Scale based on shard and query pressure.
β Q15 β Master node overloaded β symptoms?
Cluster state updates slow, shard allocation delayed, elections unstable. Kibana may show cluster issues. Fix by using dedicated master nodes with enough memory and low heap pressure.
β Q16 β Heap sizing rule for Elasticsearch nodes?
Heap should be about 50% of RAM but below ~32GB. Above that loses compressed OOP advantage. Leave rest memory for OS cache β Elasticsearch relies heavily on filesystem cache.
β Q17 β How do you secure ELK stack?
Enable TLS between components. Use authentication and role-based access. Restrict index-level permissions. Never expose Elasticsearch directly to public internet.
β Q18 β High query latency in Kibana β where to look?
Check Elasticsearch query time and shard count first. Slow queries often hit too many shards. Optimize index pattern and time filters. Add index lifecycle rollover.
β Q19 β Difference between hot-warm architecture?
Hot nodes store recent, frequently queried data on fast disks. Warm nodes store older data on cheaper storage. ILM moves indices between tiers automatically. Saves cost at scale.
β Q20 β ELK vs Loki β when choose which?
ELK is full-text indexing and powerful search but heavy and costly. Loki is label-based, cheaper, and simpler for Kubernetes logs. Choose ELK when deep search and analytics needed. Choose Loki for lightweight cluster logging.