Hi - just looking to sanity check a deployment we’re considering. We’re looking at dropping Splunk in favour of Graylog. Having run the OVA for a number of months as proof of concept, we’re now looking to move on and build something out.
Hoping to use some recently replaced VM Hosts, which would look like this:
Daily log rate will be ~30GB, retention required is 12 months. Logging Active Directory/DNS/DHCP logs, Windows Server security logs. 4 technicians will have access to Graylog but rarely at the same time.
The amount of ram is overkill, considering that you will run into issues if your providing Elastic with more than 32GB in the JVM heap. Also, you should really consider adding another Elastic node to avoid a split brain situation from only having 2 Elastic nodes. The number of shards will be tricky
What is your active retention policy? Assuming you’ll be using LUN storage for that as opposed to the onboard storage.
Many thanks for the feedback, we’ll look to salvage some RAM out of those machines and leave with 64GB in that case. Hadn’t heard of the split brain situation previously but that makes complete sense so will bring a 3rd ES node into the plan.
As I understood, the Open Source version does not have archiving (reserved for Enterprise?) so had assumed that the full 12 months would need to be active? Correct, would be looking to use LUN storage for this (the SAN is an EMC VNX5600).
