diff --git a/docs/role-logstash.md b/docs/role-logstash.md
index 1b4e4b78..d42f7da2 100644
--- a/docs/role-logstash.md
+++ b/docs/role-logstash.md
@@ -42,6 +42,7 @@ Role Variables
 * *logstash_manage_logging*: Manage log4j configuration (default: `false`)
 * *logstash_plugins*: List of plugins to install (default: none)
 * *logstash_certs_dir*: Path to certificates. Will be used to build paths of several files. (Default: `/etc/logstash/certs`)
+* *logstash_heap*: JVM heap size in GB (default: `1`). Elastic recommends 4-8 GB for typical ingestion and staying below 50-75% of physical memory. Keep it low when Logstash shares a host with Elasticsearch so they do not compete for memory.
 
 If `logstash.yml` is managed, the following settings apply.
 
diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml
index 88eead19..007a4d15 100644
--- a/roles/logstash/defaults/main.yml
+++ b/roles/logstash/defaults/main.yml
@@ -5,6 +5,8 @@ logstash_config_backup: no
 logstash_manage_yaml: true
 logstash_manage_logging: false
 
+logstash_heap: "1"
+
 # config items in yaml file #
 
 logstash_config_autoreload: true
diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml
index 4a1ab279..0ba06dee 100644
--- a/roles/logstash/tasks/main.yml
+++ b/roles/logstash/tasks/main.yml
@@ -138,6 +138,41 @@
     - configuration
     - logstash_configuration
 
+- name: Create systemd drop-in directory for Logstash
+  ansible.builtin.file:
+    path: /etc/systemd/system/logstash.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  tags:
+    - configuration
+    - logstash_configuration
+
+- name: Set Logstash JVM heap size via systemd drop-in
+  ansible.builtin.template:
+    src: jvm-heap.conf.j2
+    dest: /etc/systemd/system/logstash.service.d/heap.conf
+    owner: root
+    group: root
+    mode: "0644"
+  register: logstash_heap_dropin
+  notify:
+    - Restart Logstash
+  tags:
+    - configuration
+    - logstash_configuration
+
+# Reload systemd inline (not via handler) so a fresh install picks up the drop-in before
+# "Start Logstash" runs. Handlers only fire at the end of the play, which would be too late.
+- name: Reload systemd to apply Logstash heap drop-in
+  ansible.builtin.systemd:
+    daemon_reload: true
+  when: logstash_heap_dropin.changed
+  tags:
+    - configuration
+    - logstash_configuration
+
 - name: Configure Logstash logging
   ansible.builtin.template:
     src: log4j2.properties.j2
diff --git a/roles/logstash/templates/jvm-heap.conf.j2 b/roles/logstash/templates/jvm-heap.conf.j2
new file mode 100644
index 00000000..dcd69b6d
--- /dev/null
+++ b/roles/logstash/templates/jvm-heap.conf.j2
@@ -0,0 +1,5 @@
+# Managed by Ansible
+# Logstash has no jvm.options.d directory, and /etc/logstash/jvm.options is a package
+# config file. So we set the heap via LS_JAVA_OPTS in a systemd drop-in.
+[Service]
+Environment="LS_JAVA_OPTS=-Xms{{ logstash_heap }}g -Xmx{{ logstash_heap }}g"