Hi, I'm security engineer at FPT Cyber Security Division (one of largest SI in South-East Asia). From the beginning, I'm solution architecture designer and technical consultant for my team. I can quickly briefing about our architect for you: We are also using ELK stack for data collection, ingestion and processing. Right now, we are running with 3 ElasticSearch Nodes, HA Cluster for Logstash to provide best performance to our customer.
With your problem, I think we can discuss for more information which can help me to provide suggestion or even redesign your architecture, maybe implement some few more ES nodes or even running LogStash in High-Availability Model.