Graylog-server instances in a federated structure

nicozanf · 2017-03-20 13:20:05 UTC

Hello, I’ve read about it in the FAQ section of the 2.2 documentation - but it’s not so clear to me. Could someone kindly explain it a little more?

In my case, I have two sites and I’m thinking about installing two servers that receive everything (one on each site). Then, they forward only what I really need to a third central one. Is there a way to automatically synchronize the configuration of the front line servers?

Thank you,
Nico

jochen · 2017-03-20 14:18:50 UTC

You can use any configuration management solution, such as Puppet, Chef, or Ansible for this.

nicozanf · 2017-03-21 20:25:39 UTC

I see …

And what about the Graylog-server instances in a federated structure? Can you explain it?

Thank you

jochen · 2017-03-22 09:06:32 UTC

See http://docs.graylog.org/en/2.2/pages/architecture.html#bigger-production-setup for a description of a load-balanced HA setup for Graylog.

How you’re going to implement that is completely up to you and your requirements.

david · 2017-03-29 18:09:47 UTC

Hello, I think I’m in the same case than @nicozanf.

Indeed, in this architecture (official documentation), each graylog server speak with the same elasticsearch cluster.

My question is: is it possible to have two or more independant graylog architecture (graylog + elasticsearch + mongodb) which are requested by another graylog server via https, sort of “master” role?

In fact, I will only use this Graylog server with “master” role more than a frontend to request other graylog server. There will be not connection with any elasticsearch cluster or mongodb replica set.

The reason is to save bandwidth. Because, some of them (sites on which I want install an indepedant graylog archtecure) only use vsat connection and the RTT is high (~300-600ms). So I don’t want impact them and avoid to lost some packets.

Thanks for your help! Graylog is a very nice and powerfull application!

David

jochen · 2017-03-29 19:43:17 UTC

No, that’s not possible.

david · 2017-03-29 20:30:47 UTC

Ok. Shorter is better…usually. Thanks.

david · 2017-05-17 20:32:02 UTC

Hello, I think the “Tribe” node could be a solution for us: Tribe-node

From what I understand, the tribe node create a cluster that includes other clusters to be able to read in an almost transparent (depending the latency of network of course).

What do you think? It is compatible with Graylog?

David

jochen · 2017-05-18 07:12:38 UTC

No, it’s not and it’s on the way out of Elasticsearch: https://www.elastic.co/blog/tribe-nodes-and-cross-cluster-search-the-future-of-federated-search-in-elasticsearch

david · 2017-05-19 02:16:56 UTC

I didn’t know this article, thank you for the link. Back to square one…