Bird
Raised Fist0
Microservicessystem_design~10 mins

Centralized logging (ELK stack) in Microservices - Scalability & System Analysis

Choose your learning style10 modes available
LearnWhyDeepArchPracticeChallengeDesignRecallScale

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Scalability Analysis - Centralized logging (ELK stack)
Growth Table: Centralized Logging with ELK Stack
Users / ServicesLog VolumeInfrastructure ChangesChallenges
100 users / 10 services~10K logs/daySingle ELK stack instance; basic log shippingMinimal latency; easy to manage
10K users / 100 services~1M logs/dayScale Elasticsearch cluster; add Logstash nodes; use Kafka for bufferingIndexing delays; storage growth; query slowdowns
1M users / 1000 services~100M logs/dayMulti-node Elasticsearch clusters with sharding; dedicated Kafka clusters; use Elasticsearch cross-cluster searchStorage cost; query performance; cluster management complexity
100M users / 10K services~10B logs/dayMultiple ELK clusters per region; heavy use of data tiering and archival; advanced indexing strategies; use of cloud storage for cold dataHigh operational cost; data retention policies; disaster recovery
First Bottleneck

The first bottleneck is usually the Elasticsearch cluster. As log volume grows, Elasticsearch struggles with indexing speed and query latency due to disk I/O and CPU limits.

Scaling Solutions
  • Horizontal Scaling: Add more Elasticsearch nodes and shard indices to distribute load.
  • Buffering: Use Kafka or similar message queues to decouple log producers from Elasticsearch ingestion.
  • Caching: Use Elasticsearch query caching and Kibana dashboards caching to reduce repeated query load.
  • Data Tiering: Move older logs to cheaper storage tiers or cold storage to reduce hot cluster load.
  • Index Lifecycle Management: Automate index rollover and deletion to manage storage efficiently.
  • Load Balancing: Distribute incoming log traffic evenly across Logstash or Beats agents.
  • Compression: Compress logs during transport and storage to save bandwidth and disk space.
Back-of-Envelope Cost Analysis
  • At 1M logs/day (~11.5 logs/sec), Elasticsearch indexing requires ~100-200 MB/s disk throughput.
  • Storage needed: Assuming 1 KB per log, 1M logs/day = ~1 GB/day; 1 year = ~365 GB.
  • Network bandwidth: For 1M logs/day, ~1 MB/s sustained bandwidth needed for log shipping.
  • CPU: Elasticsearch nodes need multiple cores (8+) for indexing and query processing at medium scale.
  • Memory: Elasticsearch benefits from large heap sizes (16-32 GB) for caching and indexing.
Interview Tip

Start by explaining the data flow: microservices generate logs → logs are shipped via agents (Beats) → buffered by Kafka → processed by Logstash → stored in Elasticsearch → visualized in Kibana.

Discuss bottlenecks focusing on Elasticsearch indexing and query performance. Then propose scaling solutions like sharding, buffering, and data tiering. Mention cost trade-offs and operational complexity.

Self Check Question

Your Elasticsearch cluster handles 1000 queries per second (QPS). Traffic grows 10x to 10,000 QPS. What do you do first and why?

Answer: Add more Elasticsearch nodes and increase shard count to distribute indexing and query load horizontally. This prevents CPU and disk I/O bottlenecks and maintains query latency.

Key Result
Elasticsearch indexing and query performance is the first bottleneck as log volume grows; horizontal scaling with sharding and buffering with Kafka are key to scaling ELK stack for centralized logging.

Practice

(1/5)
1. What is the main purpose of the ELK stack in microservices architecture?
easy
A. To manage database transactions
B. To deploy microservices automatically
C. To collect, store, and visualize logs from multiple services in one place
D. To monitor network traffic between services

Solution

  1. Step 1: Understand ELK stack components

    ELK stands for Elasticsearch (storage), Logstash (processing), and Kibana (visualization), all focused on logs.

  2. Step 2: Identify ELK stack role in microservices

    It centralizes logs from many services to one place for easier monitoring and troubleshooting.

  3. Final Answer:

    To collect, store, and visualize logs from multiple services in one place -> Option C

  4. Quick Check:

    ELK stack = centralized logging [OK]
Hint: ELK = Elasticsearch + Logstash + Kibana for logs [OK]
Common Mistakes:
  • Confusing ELK with deployment tools
  • Thinking ELK manages databases
  • Assuming ELK monitors network traffic
2. Which of the following is the correct Docker Compose service name for running Elasticsearch in an ELK stack?
easy
A. elasticsearch
B. kibana
C. logstash
D. filebeat

Solution

  1. Step 1: Recall ELK stack components

    Elasticsearch stores logs, Logstash processes, Kibana visualizes, Filebeat ships logs.

  2. Step 2: Identify correct service name in Docker Compose

    The service running Elasticsearch is named "elasticsearch" in Docker Compose files.

  3. Final Answer:

    elasticsearch -> Option A

  4. Quick Check:

    Elasticsearch service = elasticsearch [OK]
Hint: Elasticsearch service is named 'elasticsearch' in Docker Compose [OK]
Common Mistakes:
  • Confusing Logstash or Kibana as Elasticsearch service
  • Using 'filebeat' as ELK core service
  • Misspelling service names
3. Given this Logstash configuration snippet:
input { beats { port => 5044 } } output { elasticsearch { hosts => ["http://elasticsearch:9200"] } }

What happens when Logstash receives logs on port 5044?
medium
A. Logs are discarded because port 5044 is incorrect
B. Logs are sent to Elasticsearch at http://elasticsearch:9200
C. Logs are visualized directly by Kibana
D. Logs are stored locally on Logstash server

Solution

  1. Step 1: Analyze Logstash input configuration

    Logstash listens for logs from Beats agents on port 5044.

  2. Step 2: Analyze Logstash output configuration

    Logs received are forwarded to Elasticsearch at the specified host and port.

  3. Final Answer:

    Logs are sent to Elasticsearch at http://elasticsearch:9200 -> Option B

  4. Quick Check:

    Logstash input port 5044 forwards logs to Elasticsearch [OK]
Hint: Logstash input port 5044 sends logs to Elasticsearch host [OK]
Common Mistakes:
  • Assuming logs go directly to Kibana
  • Thinking port 5044 is invalid
  • Believing logs are stored locally on Logstash
4. You configured Logstash to receive logs on port 5044, but no logs appear in Elasticsearch. Which is the most likely cause?
medium
A. Docker Compose file is missing Kibana service
B. Kibana is not running
C. Logstash input port is set to 9200 instead of 5044
D. Elasticsearch service is down or unreachable

Solution

  1. Step 1: Check connectivity between Logstash and Elasticsearch

    If Elasticsearch is down or unreachable, Logstash cannot send logs to it.

  2. Step 2: Verify other options

    Kibana not running or missing does not stop logs from reaching Elasticsearch; wrong input port would prevent Logstash from receiving logs, not sending.

  3. Final Answer:

    Elasticsearch service is down or unreachable -> Option D

  4. Quick Check:

    Logs missing usually means Elasticsearch unreachable [OK]
Hint: Check Elasticsearch status if logs don't appear [OK]
Common Mistakes:
  • Blaming Kibana for missing logs in Elasticsearch
  • Confusing input port with Elasticsearch port
  • Ignoring Elasticsearch service health
5. You want to add a new microservice that sends logs to the ELK stack using Filebeat. Which steps should you take to ensure logs appear in Kibana?
hard
A. Install Filebeat on the microservice host, configure it to send logs to Logstash on port 5044, and verify Elasticsearch and Kibana are running
B. Install Kibana on the microservice host and configure it to collect logs directly
C. Configure Elasticsearch to pull logs from the microservice host automatically
D. Run Logstash on the microservice host and send logs directly to Kibana

Solution

  1. Step 1: Setup Filebeat on microservice host

    Filebeat collects logs locally and forwards them to Logstash on port 5044.

  2. Step 2: Ensure ELK stack components are running

    Logstash processes logs, sends them to Elasticsearch, and Kibana visualizes them.

  3. Final Answer:

    Install Filebeat on the microservice host, configure it to send logs to Logstash on port 5044, and verify Elasticsearch and Kibana are running -> Option A

  4. Quick Check:

    Filebeat -> Logstash -> Elasticsearch -> Kibana [OK]
Hint: Filebeat sends logs to Logstash; Kibana visualizes them [OK]
Common Mistakes:
  • Trying to send logs directly to Kibana
  • Expecting Elasticsearch to pull logs automatically
  • Running Logstash on microservice host unnecessarily