I have been working with Graylog for quite some time in my company, we have had a satisfactory and pleasant experience to the point that we have decided to build a more robust infrastructure, as a result we have a Graylog cluster (3 nodes GrayLog 2.5.1, replica set MongoDB v3 .6.10 and Elasticsearch 6.6.0) all mounted on a Red Hat Linux 7.6 OS
We are using Nginx load balancer for the inputs, and this is where I have doubts about the correct configuration.
We have several platforms that are integrated into the graylog with its own inputs and ports in global mode, the inputs are of various types as is the case of syslog udp so far I have no problems as far as I see are working properly, but in the inputs of Beats type
I have noticed that the messages are not being distributed in a balanced way by Nginx where a range of received messages is more than 90% by a single Graylog node
What I am looking for is that the load distribution be balanced in equal proportions, if there is any way of knowing to what extent messages are being received by the nodes.
I put here the configuration of the Nginx that is used to balance this entry
As a last query, as it would work balancing on the same sidecar agent that is currently pointed to the nginx balancer, but we could configure the three graylog nodes there instead of the balancer.