Distributed Querying

Is there an architecture suggestion or common configuration to setup distributed querying?

I have a HQ site and multiple Branch sites. I’d like to have a Graylog instance at each location for receiving local logs but I’d like to be able to build search queries from the HQ site that will query the Branch sites also.

I’m not interested in shipping logs across the WAN, I only want to query down to the branch sites.

Is this possible? When can I find more information about this kind of setup?

With a well structured settings it is possible.
But there are no oven-ready solution for it.
If you understand the graylog and elasticsearch tasks and processes, It is possible.
And if you would like a such distributed infrastructure, you won’t be able to administrate it if you don’t understand the modules, so I think if we give an oven-ready system, we only postpone your problem.

Something to start:

  • Graylog working with independent nodes, so you can create many nodes, but it needs a little communications between its (and the background mongodb database for settings).
  • You can set rules for elastic indices eg. A index run only on node A, etc.

Thanks, I’ll start by investigating getting Graylog working on independent nodes.

Hi Tony,

It’s Taylor with Graylog!

Thanks for your post and welcome to the Graylog Community :slight_smile: Looks like you are already receiving tips from other members.

I also wanted to let you know Graylog Enterprise has a data forwarder that was built for distributed environments. Feel free to read more below:

You can try the data forwarder with the free Enterprise license up to 5 GB/day or
we can work together, if you are interested, and have a larger environment:


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.