I want to log Windows Servers on System and Security events. (Currently working with WinLogBeat, daily index for System events and Security). And I want to log Cisco devices ( Currently working Cisco SysLog --> LogStash OSS --> Elasticsearch. And I want to log some TrendMicro products (SysLog).
Note. The short explanation above is only for test purposes, 1-3 devices. In the end for production it is going to be 1000+ devices.
It is roughly around 100GB a day. How many data nodes is optimal. I know that 3 master is recommended, but how many data nodes? And how many primary shards e.g. should I have?
Hoping for an answer.