Deployment sanity check

Hi - just looking to sanity check a deployment we’re considering. We’re looking at dropping Splunk in favour of Graylog. Having run the OVA for a number of months as proof of concept, we’re now looking to move on and build something out.

Hoping to use some recently replaced VM Hosts, which would look like this:

Server1 | (2) Opteron 6386E, 256GB RAM | Graylog/MongoDB | Ubuntu 18.04, (2) SAS 15k 146GB
Server2 | (2) Opteron 6386E, 256GB RAM | Elasticsearch node 1 | Ubuntu 18.04, (2) SAS 15k 146GB, 8TB LUN (FC SAN)
Server3 | (2) Opteron 6386E, 256GB RAM | Elasticsearch node 2 | Ubuntu 18.04, (2) SAS 15k 146GB, 8TB LUN (FC SAN)

Daily log rate will be ~30GB, retention required is 12 months. Logging Active Directory/DNS/DHCP logs, Windows Server security logs. 4 technicians will have access to Graylog but rarely at the same time.

Does this sound feasible to those in the know?

Many thanks in advance

The amount of ram is overkill, considering that you will run into issues if your providing Elastic with more than 32GB in the JVM heap. Also, you should really consider adding another Elastic node to avoid a split brain situation from only having 2 Elastic nodes. The number of shards will be tricky

What is your active retention policy? Assuming you’ll be using LUN storage for that as opposed to the onboard storage.

Many thanks for the feedback, we’ll look to salvage some RAM out of those machines and leave with 64GB in that case. Hadn’t heard of the split brain situation previously but that makes complete sense so will bring a 3rd ES node into the plan.

As I understood, the Open Source version does not have archiving (reserved for Enterprise?) so had assumed that the full 12 months would need to be active? Correct, would be looking to use LUN storage for this (the SAN is an EMC VNX5600).

Kind regards

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.