Hi,
I’m planning to review our current Graylog setup and would appreciate some architecture advice.
Basically we have to two site, SiteA (local) and SiteB (remote) connected over a poor quality WAN link.
Therefore sending logs in realtime over the WAN link isn’t feasible.
My idea is to have a VM in SiteB collecting, parsing and doing everything graylog does but have the WebUI hosted in SiteA. And in SiteA have the same thing setup for graylog.
Ideally also have the WebUI in SiteA on a seperate VM from the actual graylog/ES/mongoDB.
I don’t want to load balance between Graylog VMs but imply have logs from each site sent to a local Graylog VM with a central UI for all of those VM.
I’ve read the doc but it’s not exactly the config I had in mind thus my request here 
Thanks for the help!