Dubts about installation

Hi everyone,
After reading the documentation, I have the following doubts about the graylog installation:

  1. Is it better to install everything on a single virtual machine or subdivide? (graylog and mongodb on one vm and elasticsearch on another?)
  2. Size of disks? Unfortunately at the moment I’m not able to establish how much data will be acquired by the system, in any case it is possible to increase the size of the virtual disks.
  3. Using nginx as a reverse proxy, I thought of the following solution:

Thanks,
Greetings.

Anyone helps me?
Thanks.

@badrequest

you might get better/faster help if you outline some specific questions and not leave half sentence questions in the room …

Their is no answer to your first question as you did not provide any additional information what kind of setup you like to build. The documentation already give some idea when to use what kind of setup.

Your second question can be answered with “yes, in some cases” - LVM might help with that or you take elasticsearch ability to have data on different path - no “that is better or choose this one” possible with additional details.

Yes, NGINX can be used as a proxy.

Hi

Answer on questions 1 and 2 depends a lot on your hourly/daily log traffic. I maintain 3 different graylog clusters in the company: the smallest has barely 1000 logs daily, and the production cluster handles more than 150 Gigabytes of logs hourly.
As a general guidance i can recommend to separate graylog from the elasticsearch machines, especially, if you can`t estimate right now the logs amount. When elasticsearch cluster managed as a isolated item, you have much more place to “play and scale” in case of need.
On elasticsearch data nodes try to use separate partition for elasticsearch data from OS root partition, and put it on fastest disks available. Avoid using NFS/CIFS at all cost.
I can personally recommend combination of LVM and XFS file system. This is win-win combination, as you can resize you volume very fast without service interrupt.
About NGINX - you can definitely use it as RP/SSL termination. I use AWS ALB for web access and
AWS NLB for the log traffic distribution

1 Like