Definitely have a call with Graylog sales/engineer to talk about your specifics.
I’m not sure what you were thinking in terms of “multi-node” but, seperating the Elasticsearch server from the Graylog server does not constitute a multi-node deployment, more of a distributed deployment, but I recommend it because serperating the 2 down road, I understand to be much more difficult than simply adding another graylog node and/or another elasticsearch node. So if you’re thinking of separating the 2 for performance purposes, simply follow the single node installation and install Java, Mongodb, and Graylog on your front end/ingest server, and then install Java and Elasticsearch on the Elasticsearch server. Then modify the server.conf file to tell Graylog where the Elasticsearch server is located.
10 GB/day ingest is a boundary where the specs for the server increase per Graylog guidelines, (Sales provided me the spec sheet and I’m sure they’ll provide it to you as well) but as a ballpark, for the Graylog front end, think about 8 cores and 8-16GB of RAM, and for elasticsearch, 8-16 cores and as much memory as you spare. 16-32 GB is about right.
As far as hard drive. if you are ingesting 10GB/day, and want to retain it for 6 months, rough calculations would be about 1.8TB of storage 180 days * 10GB/day. So round up to 2TB. SSD would be awesome, but at 10GB, 10k or 15k RPM HDD will work fine, assuming it’s part of a SAN or RAID. The archiving piece will allow you longer term storage and can be be compressed as well. It also can just be a standard network file share that resides on another server.
I started looking into having this on AWS/Azure, but there were a whole bunch of aspects I didn’t have the time to iron out, so I built mine locally and can always migrate down the road.
Hope that helps, Graylog sales is your best bet and they will be able to give you specific guidance.