How monitoring worksedit

Monitoring collects data from Elasticsearch nodes, Logstash nodes, and Kibana instances.

In general, the Elasticsearch cluster you are monitoring controls where the monitoring metrics for the stack are stored. By default, they are stored in local indices.


In production, we strongly recommend using a separate monitoring Elasticsearch cluster. Using a separate monitoring cluster prevents production cluster outages from impacting your ability to access your monitoring data. It also prevents monitoring activities from impacting the performance of your production cluster. For the same reason, we also recommend to use a separate Kibana instance that is connected to the separate monitoring cluster.

The following diagram illustrates a typical monitoring architecture with separate production and monitoring clusters:

A typical monitoring environment

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. In 6.4 and later, you can use Metricbeat to collect and ship data about Kibana, rather than routing it through Elasticsearch. In 6.5 and later, you can also use Metricbeat to collect and ship data about Elasticsearch. For example:

A typical monitoring environment that includes Metricbeat

If you have at least a gold license, you can route data from multiple production clusters to a single monitoring cluster. For more information about the differences between various subscription levels, see:


In general, the monitoring cluster and the clusters being monitored should be running the same version of the stack. A monitoring cluster cannot monitor production clusters running newer versions of the stack. If necessary, the monitoring cluster can monitor production clusters running older versions, but the versions cannot differ by more than one major version.

If you use Kibana to visualize data and administer the cluster, you might want to create a dedicated Kibana instance for monitoring, rather than using a single Kibana instance to access both your production cluster and monitoring cluster:

A separate Kibana instance accesses the monitoring cluster