Graylog-server instances in a federated structure

(Nico Zanferrari) #1

Hello, I’ve read about it in the FAQ section of the 2.2 documentation - but it’s not so clear to me. Could someone kindly explain it a little more?

In my case, I have two sites and I’m thinking about installing two servers that receive everything (one on each site). Then, they forward only what I really need to a third central one. Is there a way to automatically synchronize the configuration of the front line servers?

Thank you,

(Jochen) #2

You can use any configuration management solution, such as Puppet, Chef, or Ansible for this.

(Nico Zanferrari) #3

I see …

And what about the Graylog-server instances in a federated structure? Can you explain it?

Thank you

(Jochen) #4

See for a description of a load-balanced HA setup for Graylog.

How you’re going to implement that is completely up to you and your requirements.

(David) #5

Hello, I think I’m in the same case than @nicozanf.

Indeed, in this architecture (official documentation), each graylog server speak with the same elasticsearch cluster.

My question is: is it possible to have two or more independant graylog architecture (graylog + elasticsearch + mongodb) which are requested by another graylog server via https, sort of “master” role?

In fact, I will only use this Graylog server with “master” role more than a frontend to request other graylog server. There will be not connection with any elasticsearch cluster or mongodb replica set.

The reason is to save bandwidth. Because, some of them (sites on which I want install an indepedant graylog archtecure) only use vsat connection and the RTT is high (~300-600ms). So I don’t want impact them and avoid to lost some packets.

Thanks for your help! Graylog is a very nice and powerfull application! :slight_smile:


(Jochen) #6

No, that’s not possible.

(David) #7

Ok. Shorter is better…usually. Thanks.

(David) #8

Hello, I think the “Tribe” node could be a solution for us: Tribe-node

From what I understand, the tribe node create a cluster that includes other clusters to be able to read in an almost transparent (depending the latency of network of course).

What do you think? It is compatible with Graylog?


(Jochen) #9

No, it’s not and it’s on the way out of Elasticsearch:

(David) #10

I didn’t know this article, thank you for the link. Back to square one…